Attachment 170517 Details for Bug 209661 – amd64 + i386 overflow check

[patch] amd64 + i386 overflow check

1.patch (text/plain), 1.24 KB, created by Konstantin Belousov on 2016-05-20 19:33:42 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Konstantin Belousov

Created: 2016-05-20 19:33:42 UTC

Size: 1.24 KB

patch

obsolete

>diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c
>index 7a1df6b..4f85e1f 100644
>--- a/sys/amd64/amd64/sys_machdep.c
>+++ b/sys/amd64/amd64/sys_machdep.c
>@@ -344,7 +344,8 @@ amd64_set_ioperm(td, uap)
> 		return (error);
> 	if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
> 		return (error);
>-	if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
>+	if (uap->start > uap->start + uap->length ||
>+	    uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
> 		return (EINVAL);
> 
> 	/*
>diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
>index 4f78e29..9c8d94b 100644
>--- a/sys/i386/i386/sys_machdep.c
>+++ b/sys/i386/i386/sys_machdep.c
>@@ -315,8 +315,9 @@ i386_set_ioperm(td, uap)
> 	struct thread *td;
> 	struct i386_ioperm_args *uap;
> {
>-	int i, error;
> 	char *iomap;
>+	u_int i;
>+	int error;
> 
> 	if ((error = priv_check(td, PRIV_IO)) != 0)
> 		return (error);
>@@ -334,7 +335,8 @@ i386_set_ioperm(td, uap)
> 			return (error);
> 	iomap = (char *)td->td_pcb->pcb_ext->ext_iomap;
> 
>-	if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
>+	if (uap->start > uap->start + uap->length ||
>+	    uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
> 		return (EINVAL);
> 
> 	for (i = uap->start; i < uap->start + uap->length; i++) {

Actions: View | Diff

Attachments on bug 209661: 170517