svn commit: r331981 - head/sys/dev/vt

Gordon Tetlow gordon at FreeBSD.org
Wed Apr 4 05:21:47 UTC 2018


Author: gordon
Date: Wed Apr  4 05:21:46 2018
New Revision: 331981
URL: https://svnweb.freebsd.org/changeset/base/331981

Log:
  Limit glyph count in vtfont_load to avoid integer overflow.
  
  Invalid font data passed to PIO_VFONT can result in an integer overflow
  in glyphsize.  Characters may then be drawn on the console using glyph
  map entries that point beyond the end of allocated glyph memory,
  resulting in a kernel memory disclosure.
  
  Submitted by:	emaste
  Reported by:	Dr. Silvio Cesare of InfoSect
  Security:	CVE-2018-6917
  Security:	FreeBSD-SA-18:04.vt
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/dev/vt/vt_font.c

Modified: head/sys/dev/vt/vt_font.c
==============================================================================
--- head/sys/dev/vt/vt_font.c	Wed Apr  4 04:26:21 2018	(r331980)
+++ head/sys/dev/vt/vt_font.c	Wed Apr  4 05:21:46 2018	(r331981)
@@ -44,6 +44,7 @@ static MALLOC_DEFINE(M_VTFONT, "vtfont", "vt font");
 
 /* Some limits to prevent abnormal fonts from being loaded. */
 #define	VTFONT_MAXMAPPINGS	65536
+#define	VTFONT_MAXGLYPHS	131072
 #define	VTFONT_MAXGLYPHSIZE	2097152
 #define	VTFONT_MAXDIMENSION	128
 
@@ -173,7 +174,8 @@ vtfont_load(vfnt_t *f, struct vt_font **ret)
 	/* Make sure the dimensions are valid. */
 	if (f->width < 1 || f->height < 1)
 		return (EINVAL);
-	if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION)
+	if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION ||
+	    f->glyph_count > VTFONT_MAXGLYPHS)
 		return (E2BIG);
 
 	/* Not too many mappings. */


More information about the svn-src-head mailing list