svn commit: r199330 - stable/7/sys/compat/pecoff

Bjoern A. Zeeb bz at
Mon Nov 16 20:34:54 UTC 2009

Author: bz
Date: Mon Nov 16 20:34:53 2009
New Revision: 199330

  As we pass the 'offset' unvalidated to vn_rdwr() make sure
  that it is unsigned rather than possibly set to something negative
  by a malicious binary.
  This is just the immediate fix to the problem mentioned in
  PR kern/80742 and by but does
  not fix all possible problems imgact_pecoff has.
  As this feature does not work and is not compiled in by default,
  the security team considers this vulnerability to be of low risk
  to the user population and will not be issuing an advisory.
  Note that this is a direct commit to stable/7 as pecoff support has
  been removed from head and stable/8 already.
  PR:		kern/80742
  Reported by:	Oliver Pinter (oliver.pntr via freebsd-security
  Help reproducing and testing by: Damian Weber (dweber
  MFC After:	3 days


Modified: stable/7/sys/compat/pecoff/imgact_pecoff.c
--- stable/7/sys/compat/pecoff/imgact_pecoff.c	Mon Nov 16 19:10:09 2009	(r199329)
+++ stable/7/sys/compat/pecoff/imgact_pecoff.c	Mon Nov 16 20:34:53 2009	(r199330)
@@ -136,7 +136,7 @@ exec_pecoff_coff_makecmds(struct image_p
 			  struct coff_filehdr *, int);
 static int      pecoff_signature(struct thread *, struct vnode *, const struct pecoff_dos_filehdr *);
-static int      pecoff_read_from(struct thread *, struct vnode *, int, caddr_t, int);
+static int      pecoff_read_from(struct thread *, struct vnode *, unsigned int, caddr_t, int);
 static int 
 pecoff_load_section(struct thread * td,
 		    struct vmspace * vmspace, struct vnode * vp,
@@ -292,7 +292,7 @@ pecoff_load_file(struct thread * td, con
 	struct vmspace *vmspace = td->td_proc->p_vmspace;
 	struct vattr    attr;
 	struct image_params image_params, *imgp;
-	int             peofs;
+	unsigned int peofs;
 	int             error, i, scnsiz;
 	imgp = &image_params;
@@ -554,7 +554,7 @@ int
 pecoff_read_from(td, vp, pos, buf, siz)
 	struct thread  *td;
 	struct vnode   *vp;
-	int             pos;
+	unsigned int    pos;
 	caddr_t         buf;
 	int             siz;

More information about the svn-src-stable-7 mailing list