svn commit: r296956 - head/sys/amd64/amd64
Gleb Smirnoff
glebius at FreeBSD.org
Wed Mar 16 22:33:13 UTC 2016
Author: glebius
Date: Wed Mar 16 22:33:12 2016
New Revision: 296956
URL: https://svnweb.freebsd.org/changeset/base/296956
Log:
Due to invalid use of a signed intermediate value in the bounds checking
during argument validity verification, unbound zero'ing of the process LDT
and adjacent memory can be initiated from usermode.
Submitted by: CORE Security
Patch by: kib
Security: SA-16:15
Modified:
head/sys/amd64/amd64/sys_machdep.c
Modified: head/sys/amd64/amd64/sys_machdep.c
==============================================================================
--- head/sys/amd64/amd64/sys_machdep.c Wed Mar 16 22:31:04 2016 (r296955)
+++ head/sys/amd64/amd64/sys_machdep.c Wed Mar 16 22:33:12 2016 (r296956)
@@ -580,8 +580,8 @@ amd64_set_ldt(td, uap, descs)
struct i386_ldt_args *uap;
struct user_segment_descriptor *descs;
{
- int error = 0, i;
- int largest_ld;
+ int error = 0;
+ unsigned int largest_ld, i;
struct mdproc *mdp = &td->td_proc->p_md;
struct proc_ldt *pldt;
struct user_segment_descriptor *dp;
More information about the svn-src-all
mailing list