Make ps_nargvstr and ps_nenvstr unsigned. This fixes an input

validation error in procfs/linprocfs that can be exploited by local users to cause a kernel panic. All versions of FreeBSD with the patch referenced in SA-04:17.procfs have this bug, but versions without that patch have a more serious bug instead. This problem only affects systems on which procfs or linprocfs is mounted. Found by: Coverity Prevent analysis tool Security: Local DOS
2005-03-23 08:27:59 +00:00 · 2005-03-23 08:27:59 +00:00 · f2c7668eb1
commit f2c7668eb1
parent 58ce5a2700
2 changed files with 4 additions and 4 deletions
--- a/sys/amd64/linux32/linux32_sysvec.c
+++ b/sys/amd64/linux32/linux32_sysvec.c
@ -207,9 +207,9 @@ static int _bsd_to_linux_trapcode[] = {

 struct linux32_ps_strings {
 	u_int32_t ps_argvstr;	/* first of 0 or more argument strings */
-	int	ps_nargvstr;	/* the number of argument strings */
+	u_int ps_nargvstr;	/* the number of argument strings */
 	u_int32_t ps_envstr;	/* first of 0 or more environment strings */
-	int	ps_nenvstr;	/* the number of environment strings */
+	u_int ps_nenvstr;	/* the number of environment strings */
 };

 /*
--- a/sys/sys/exec.h
+++ b/sys/sys/exec.h
@ -48,9 +48,9 @@
 */
 struct ps_strings {
 	char	**ps_argvstr;	/* first of 0 or more argument strings */
-	int	ps_nargvstr;	/* the number of argument strings */
+	unsigned int ps_nargvstr; /* the number of argument strings */
 	char	**ps_envstr;	/* first of 0 or more environment strings */
-	int	ps_nenvstr;	/* the number of environment strings */
+	unsigned int ps_nenvstr; /* the number of environment strings */
 };

 /*