Bounds check the length parameter to i386_set_ldt() before passing it

to kmem_alloc(). Failure to do this made it possible for user processes to cause a hard lock on i386 kernels. I believe this only affects 6-CURRENT on or after 2005-01-26. Found by: Coverity Prevent analysis tool Security: Local DOS
2005-03-23 08:28:03 +00:00 · 2005-03-23 08:28:03 +00:00 · 8a4d2b06c7
commit 8a4d2b06c7
parent aa675b572f
1 changed files with 2 additions and 0 deletions
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@ -103,6 +103,8 @@ sysarch(td, uap)
 		if ((error = copyin(uap->parms, &kargs.largs,
 		    sizeof(struct i386_ldt_args))) != 0)
 			return (error);
+		if (kargs.largs.num > MAX_LD || kargs.largs.num <= 0)
+			return (EINVAL);
 		break;
 	default:
 		break;