Date: Mon, 23 May 2016 00:58:52 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r300441 - in stable/10/sys: amd64/amd64 i386/i386 Message-ID: <201605230058.u4N0wqsL098400@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Mon May 23 00:58:52 2016 New Revision: 300441 URL: https://svnweb.freebsd.org/changeset/base/300441 Log: MFC r300305, r300332: Check for overflow and return EINVAL if detected. Use unsigned index. Modified: stable/10/sys/amd64/amd64/sys_machdep.c stable/10/sys/i386/i386/sys_machdep.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/amd64/amd64/sys_machdep.c ============================================================================== --- stable/10/sys/amd64/amd64/sys_machdep.c Sun May 22 23:28:23 2016 (r300440) +++ stable/10/sys/amd64/amd64/sys_machdep.c Mon May 23 00:58:52 2016 (r300441) @@ -334,18 +334,20 @@ amd64_set_ioperm(td, uap) struct thread *td; struct i386_ioperm_args *uap; { - int i, error; char *iomap; struct amd64tss *tssp; struct system_segment_descriptor *tss_sd; u_long *addr; struct pcb *pcb; + u_int i; + int error; if ((error = priv_check(td, PRIV_IO)) != 0) return (error); if ((error = securelevel_gt(td->td_ucred, 0)) != 0) return (error); - if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) + if (uap->start > uap->start + uap->length || + uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) return (EINVAL); /* Modified: stable/10/sys/i386/i386/sys_machdep.c ============================================================================== --- stable/10/sys/i386/i386/sys_machdep.c Sun May 22 23:28:23 2016 (r300440) +++ stable/10/sys/i386/i386/sys_machdep.c Mon May 23 00:58:52 2016 (r300441) @@ -344,8 +344,9 @@ i386_set_ioperm(td, uap) struct thread *td; struct i386_ioperm_args *uap; { - int i, error; char *iomap; + u_int i; + int error; if ((error = priv_check(td, PRIV_IO)) != 0) return (error); @@ -363,7 +364,8 @@ i386_set_ioperm(td, uap) return (error); iomap = (char *)td->td_pcb->pcb_ext->ext_iomap; - if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) + if (uap->start > uap->start + uap->length || + uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) return (EINVAL); for (i = uap->start; i < uap->start + uap->length; i++) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605230058.u4N0wqsL098400>