Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jan 2015 19:35:42 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r277806 - head/sys/dev/vt
Message-ID:  <201501271935.t0RJZgbo015250@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: delphij
Date: Tue Jan 27 19:35:41 2015
New Revision: 277806
URL: https://svnweb.freebsd.org/changeset/base/277806

Log:
  Use unsigned int for index value.
  
  Without this change a local attacker could trigger a panic by
  tricking the kernel into accessing undefined kernel memory.
  
  We would like to acknowledge Francisco Falcon from CORE Security
  Technologies who discovered the issue and reported to the
  FreeBSD Security Team.
  
  More information can be found at CORE Security's advisory at:
  http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities
  
  This is an errata candidate for releng/10.1 and releng/9.3.  Earlier
  releases are not affected.
  
  Reported by:	Francisco Falcon from CORE Security Technologies
  Security:	CVE-2014-0998
  Reviewed by:	dumbbell
  MFC after:	3 days

Modified:
  head/sys/dev/vt/vt_core.c

Modified: head/sys/dev/vt/vt_core.c
==============================================================================
--- head/sys/dev/vt/vt_core.c	Tue Jan 27 19:35:38 2015	(r277805)
+++ head/sys/dev/vt/vt_core.c	Tue Jan 27 19:35:41 2015	(r277806)
@@ -2367,20 +2367,23 @@ skip_thunk:
 		}
 		VT_UNLOCK(vd);
 		return (EINVAL);
-	case VT_WAITACTIVE:
+	case VT_WAITACTIVE: {
+		unsigned int idx;
+
 		error = 0;
 
-		i = *(unsigned int *)data;
-		if (i > VT_MAXWINDOWS)
+		idx = *(unsigned int *)data;
+		if (idx > VT_MAXWINDOWS)
 			return (EINVAL);
-		if (i != 0)
-			vw = vd->vd_windows[i - 1];
+		if (idx > 0)
+			vw = vd->vd_windows[idx - 1];
 
 		VT_LOCK(vd);
 		while (vd->vd_curwindow != vw && error == 0)
 			error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock);
 		VT_UNLOCK(vd);
 		return (error);
+	}
 	case VT_SETMODE: {    	/* set screen switcher mode */
 		struct vt_mode *mode;
 		struct proc *p1;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501271935.t0RJZgbo015250>