aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2005-05-06 02:40:32 +0000
committerColin Percival <cperciva@FreeBSD.org>2005-05-06 02:40:32 +0000
commitc7be66d1904c2bc85c73040d0b98529bd9ad5a92 (patch)
tree5f042d43c9dd5dc130c67d1a2ac4af8379545dc9
parente0b13f513277ce4d0fe927cfc88835670f24a08e (diff)
downloadsrc-c7be66d1904c2bc85c73040d0b98529bd9ad5a92.tar.gz
src-c7be66d1904c2bc85c73040d0b98529bd9ad5a92.zip
Correctly validate inputs to the i386_get_ldt syscall.
Security: FreeBSD-SA-05:07.ldt Approved by: so (cperciva)
Notes
Notes: svn path=/releng/4.11/; revision=145951
-rw-r--r--UPDATING3
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/i386/i386/sys_machdep.c9
3 files changed, 8 insertions, 6 deletions
diff --git a/UPDATING b/UPDATING
index 28b508134c81..090b9516dd03 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,9 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20050506: p6 FreeBSD-SA-05:07.ldt
+ Correctly validate inputs to the i386_get_ldt syscall.
+
20050506: p5 FreeBSD-SA-05:06.iir
Correct overly liberal permissions on /dev/iir.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 7b080f1cbf5f..40c0bbd17870 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.11"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
index f87e333cbf88..a9dcf48254a3 100644
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@@ -342,10 +342,6 @@ i386_get_ldt(p, args)
uap->start, uap->num, (void *)uap->descs);
#endif
- /* verify range of LDTs exist */
- if ((uap->start < 0) || (uap->num <= 0))
- return(EINVAL);
-
s = splhigh();
if (pcb_ldt) {
@@ -357,7 +353,10 @@ i386_get_ldt(p, args)
num = min(uap->num, nldt);
lp = &ldt[uap->start];
}
- if (uap->start + num > nldt) {
+
+ if ((uap->start > (unsigned int)nldt) ||
+ ((unsigned int)num > (unsigned int)nldt) ||
+ ((unsigned int)(uap->start + num) > (unsigned int)nldt)) {
splx(s);
return(EINVAL);
}