git: 91d0876a20ce - main - arm64 makectx: Fix overflow of tf_x array
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 17 Aug 2023 22:26:43 UTC
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=91d0876a20cee993f3cd17b4638e779c6975d15b
commit 91d0876a20cee993f3cd17b4638e779c6975d15b
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2023-08-17 22:26:16 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-08-17 22:26:16 +0000
arm64 makectx: Fix overflow of tf_x array
PCB_LR isn't stored in tf_x, so trying to store it as pcb_x[PCB_LR] =
tf->tf_x[PCB_LR + PCB_X_START] overflowed the tf_x array.
Reported by: Morello (bounds check crash)
Reviewed by: jrtc27, andrew, markj
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D41485
---
sys/arm64/arm64/machdep.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c
index 2a26da3d65b6..4bfbfcaa91bd 100644
--- a/sys/arm64/arm64/machdep.c
+++ b/sys/arm64/arm64/machdep.c
@@ -359,11 +359,14 @@ makectx(struct trapframe *tf, struct pcb *pcb)
{
int i;
- for (i = 0; i < nitems(pcb->pcb_x); i++)
- pcb->pcb_x[i] = tf->tf_x[i + PCB_X_START];
-
/* NB: pcb_x[PCB_LR] is the PC, see PC_REGS() in db_machdep.h */
- pcb->pcb_x[PCB_LR] = tf->tf_elr;
+ for (i = 0; i < nitems(pcb->pcb_x); i++) {
+ if (i == PCB_LR)
+ pcb->pcb_x[i] = tf->tf_elr;
+ else
+ pcb->pcb_x[i] = tf->tf_x[i + PCB_X_START];
+ }
+
pcb->pcb_sp = tf->tf_sp;
}