svn commit: r300332 - in head/sys: amd64/amd64 i386/i386
Konstantin Belousov
kib at FreeBSD.org
Fri May 20 19:50:34 UTC 2016
Author: kib
Date: Fri May 20 19:50:32 2016
New Revision: 300332
URL: https://svnweb.freebsd.org/changeset/base/300332
Log:
Check for overflow and return EINVAL if detected. Backport this and
r300305 to i386.
PR: 209661
Reported and reviewed by: cturt
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Modified:
head/sys/amd64/amd64/sys_machdep.c
head/sys/i386/i386/sys_machdep.c
Modified: head/sys/amd64/amd64/sys_machdep.c
==============================================================================
--- head/sys/amd64/amd64/sys_machdep.c Fri May 20 19:46:25 2016 (r300331)
+++ head/sys/amd64/amd64/sys_machdep.c Fri May 20 19:50:32 2016 (r300332)
@@ -344,7 +344,8 @@ amd64_set_ioperm(td, uap)
return (error);
if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
return (error);
- if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
+ if (uap->start > uap->start + uap->length ||
+ uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
return (EINVAL);
/*
Modified: head/sys/i386/i386/sys_machdep.c
==============================================================================
--- head/sys/i386/i386/sys_machdep.c Fri May 20 19:46:25 2016 (r300331)
+++ head/sys/i386/i386/sys_machdep.c Fri May 20 19:50:32 2016 (r300332)
@@ -315,8 +315,9 @@ i386_set_ioperm(td, uap)
struct thread *td;
struct i386_ioperm_args *uap;
{
- int i, error;
char *iomap;
+ u_int i;
+ int error;
if ((error = priv_check(td, PRIV_IO)) != 0)
return (error);
@@ -334,7 +335,8 @@ i386_set_ioperm(td, uap)
return (error);
iomap = (char *)td->td_pcb->pcb_ext->ext_iomap;
- if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
+ if (uap->start > uap->start + uap->length ||
+ uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
return (EINVAL);
for (i = uap->start; i < uap->start + uap->length; i++) {
More information about the svn-src-head
mailing list