From f2c7668eb1581c4fbd5a7d43af0dd363f8b3206e Mon Sep 17 00:00:00 2001 From: David Schultz Date: Wed, 23 Mar 2005 08:27:59 +0000 Subject: [PATCH] Make ps_nargvstr and ps_nenvstr unsigned. This fixes an input validation error in procfs/linprocfs that can be exploited by local users to cause a kernel panic. All versions of FreeBSD with the patch referenced in SA-04:17.procfs have this bug, but versions without that patch have a more serious bug instead. This problem only affects systems on which procfs or linprocfs is mounted. Found by: Coverity Prevent analysis tool Security: Local DOS --- sys/amd64/linux32/linux32_sysvec.c | 4 ++-- sys/sys/exec.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32_sysvec.c index be4c6cce987a..8e0fc950d640 100644 --- a/sys/amd64/linux32/linux32_sysvec.c +++ b/sys/amd64/linux32/linux32_sysvec.c @@ -207,9 +207,9 @@ static int _bsd_to_linux_trapcode[] = { struct linux32_ps_strings { u_int32_t ps_argvstr; /* first of 0 or more argument strings */ - int ps_nargvstr; /* the number of argument strings */ + u_int ps_nargvstr; /* the number of argument strings */ u_int32_t ps_envstr; /* first of 0 or more environment strings */ - int ps_nenvstr; /* the number of environment strings */ + u_int ps_nenvstr; /* the number of environment strings */ }; /* diff --git a/sys/sys/exec.h b/sys/sys/exec.h index 07becafe0f25..8c95c36e6874 100644 --- a/sys/sys/exec.h +++ b/sys/sys/exec.h @@ -48,9 +48,9 @@ */ struct ps_strings { char **ps_argvstr; /* first of 0 or more argument strings */ - int ps_nargvstr; /* the number of argument strings */ + unsigned int ps_nargvstr; /* the number of argument strings */ char **ps_envstr; /* first of 0 or more environment strings */ - int ps_nenvstr; /* the number of environment strings */ + unsigned int ps_nenvstr; /* the number of environment strings */ }; /*