git: f4cf977dfe92 - releng/15.0 - vt: Avoid integer overflow in CONS_HISTORY ioctl

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 09 Jun 2026 19:19:53 UTC
The branch releng/15.0 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=f4cf977dfe9295dd0824ac9ecf041d9974c896cf

commit f4cf977dfe9295dd0824ac9ecf041d9974c896cf
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2026-05-26 16:19:47 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-08 15:39:32 +0000

    vt: Avoid integer overflow in CONS_HISTORY ioctl
    
    Approved by:    so
    Security:       FreeBSD-SA-26:34.vt
    Security:       CVE-2026-49416
    Reviewed by:    markj, vexeduxr
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D57250
    
    (cherry picked from commit 0ae946e7223df5ef3f7980af1d774d7f593f6421)
    (cherry picked from commit deaaddf1d3c4283649945553ad7e3208c8424308)
---
 sys/dev/vt/vt_buf.c  | 9 ++++-----
 sys/dev/vt/vt_core.c | 6 ++++--
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/sys/dev/vt/vt_buf.c b/sys/dev/vt/vt_buf.c
index e1e4ebc23491..43657fcecbdc 100644
--- a/sys/dev/vt/vt_buf.c
+++ b/sys/dev/vt/vt_buf.c
@@ -499,7 +499,6 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size)
 {
 	term_char_t *old, *new, **rows, **oldrows, **copyrows, *row, *oldrow;
 	unsigned int w, h, c, r, old_history_size;
-	size_t bufsize, rowssize;
 	int history_full;
 	const teken_attr_t *a;
 	term_char_t ch;
@@ -510,10 +509,10 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned int history_size)
 	history_size = MAX(history_size, p->tp_row);
 
 	/* Allocate new buffer. */
-	bufsize = history_size * p->tp_col * sizeof(term_char_t);
-	new = malloc(bufsize, M_VTBUF, M_WAITOK | M_ZERO);
-	rowssize = history_size * sizeof(term_pos_t *);
-	rows = malloc(rowssize, M_VTBUF, M_WAITOK | M_ZERO);
+	new = mallocarray(history_size, p->tp_col * sizeof(term_char_t),
+	    M_VTBUF, M_WAITOK | M_ZERO);
+	rows = mallocarray(history_size, sizeof(term_pos_t *), M_VTBUF,
+	    M_WAITOK | M_ZERO);
 
 	/* Toggle it. */
 	VTBUF_LOCK(vb);
diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c
index b51ef6766de4..7d4a79b4e4a5 100644
--- a/sys/dev/vt/vt_core.c
+++ b/sys/dev/vt/vt_core.c
@@ -40,6 +40,7 @@
 #include <sys/kbio.h>
 #include <sys/kdb.h>
 #include <sys/kernel.h>
+#include <sys/limits.h>
 #include <sys/linker.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -2766,8 +2767,9 @@ skip_thunk:
 		/* XXX */
 		return (0);
 	case CONS_HISTORY:
-		if (*(int *)data < 0)
-			return EINVAL;
+		if (*(int *)data < 0 ||
+		    *(int *)data > UINT_MAX / USHRT_MAX / sizeof(term_char_t))
+			return (EINVAL);
 		if (*(int *)data != vw->vw_buf.vb_history_size)
 			vtbuf_sethistory_size(&vw->vw_buf, *(int *)data);
 		return (0);