d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

arm64 makectx: Fix overflow of tf_x array

Browse Source 
PCB_LR isn't stored in tf_x, so trying to store it as pcb_x[PCB_LR] =
tf->tf_x[PCB_LR + PCB_X_START] overflowed the tf_x array.

Reported by:	Morello (bounds check crash)
Reviewed by:	jrtc27, andrew, markj
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D41485
This commit is contained in:
John Baldwin 2023-08-17 15:26:16 -07:00
parent 5635d5b61e
commit 91d0876a20
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sys/arm64/arm64/machdep.c
View File

@ -359,11 +359,14 @@ makectx(struct trapframe *tf, struct pcb *pcb)
{
int i;
for (i = 0; i < nitems(pcb->pcb_x); i++)
pcb->pcb_x[i] = tf->tf_x[i + PCB_X_START];
/* NB: pcb_x[PCB_LR] is the PC, see PC_REGS() in db_machdep.h */
pcb->pcb_x[PCB_LR] = tf->tf_elr;
for (i = 0; i < nitems(pcb->pcb_x); i++) {
if (i == PCB_LR)
pcb->pcb_x[i] = tf->tf_elr;
else
pcb->pcb_x[i] = tf->tf_x[i + PCB_X_START];
}
pcb->pcb_sp = tf->tf_sp;
}