svn commit: r307936 - head/sys/amd64/amd64
Tijl Coosemans
tijl at FreeBSD.org
Thu Oct 27 16:28:22 UTC 2016
On Wed, 26 Oct 2016 16:25:50 +0300 Konstantin Belousov <kostikbel at gmail.com> wrote:
> On Tue, Oct 25, 2016 at 09:26:00PM +0200, Tijl Coosemans wrote:
>> On Tue, 25 Oct 2016 17:13:46 +0000 (UTC) Gleb Smirnoff <glebius at FreeBSD.org> wrote:
>>> Author: glebius
>>> Date: Tue Oct 25 17:13:46 2016
>>> New Revision: 307936
>>> URL: https://svnweb.freebsd.org/changeset/base/307936
>>>
>>> Log:
>>> The argument validation in r296956 was not enough to close all possible
>>> overflows in sysarch(2).
>>>
>>> Submitted by: Kun Yang <kun.yang chaitin.com>
>>> Patch by: kib
>>> Security: SA-16:15
>>>
>>> Modified:
>>> head/sys/amd64/amd64/sys_machdep.c
>>
>> This patch and r296956 need to be applied to i386 too, don't they?
> I do not think so. The amd64 bug is that I thought that the overflow
> checks were not needed, which appeared to be not true.
>
> i386_set_ldt(), which is the i386 version of amd64_set_ldt(), already
> contained the comparisions of largest_ld with pldt->ldt_len etc.
>
> Still, independend look at the i386 (and amd64 version as well) is more
> than welcomed, so please read the code yourself.
It looks ok to me. i386 checks kargs.largs.num > MAX_LD early in sysarch
so start + num cannot overflow. On amd64 this check was removed in
https://svnweb.freebsd.org/base?view=revision&revision=217543
More information about the svn-src-head
mailing list