Use unsigned int for index value.

Without this change a local attacker could trigger a panic by tricking the kernel into accessing undefined kernel memory. We would like to acknowledge Francisco Falcon from CORE Security Technologies who discovered the issue and reported to the FreeBSD Security Team. More information can be found at CORE Security's advisory at: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities This is an errata candidate for releng/10.1 and releng/9.3. Earlier releases are not affected. Reported by: Francisco Falcon from CORE Security Technologies Security: CVE-2014-0998 Reviewed by: dumbbell MFC after: 3 days
2015-01-27 19:35:41 +00:00 · 2015-01-27 19:35:41 +00:00 · 1ff092273d
commit 1ff092273d
parent 5cdb10065c
1 changed files with 8 additions and 5 deletions
--- a/sys/dev/vt/vt_core.c
+++ b/sys/dev/vt/vt_core.c
@ -2367,20 +2367,23 @@ skip_thunk:
 		}
 		VT_UNLOCK(vd);
 		return (EINVAL);
-	case VT_WAITACTIVE:
+	case VT_WAITACTIVE: {
+		unsigned int idx;
+
 		error = 0;

-		i = *(unsigned int *)data;
-		if (i > VT_MAXWINDOWS)
+		idx = *(unsigned int *)data;
+		if (idx > VT_MAXWINDOWS)
 			return (EINVAL);
-		if (i != 0)
-			vw = vd->vd_windows[i - 1];
+		if (idx > 0)
+			vw = vd->vd_windows[idx - 1];

 		VT_LOCK(vd);
 		while (vd->vd_curwindow != vw && error == 0)
 			error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock);
 		VT_UNLOCK(vd);
 		return (error);
+	}
 	case VT_SETMODE: {    	/* set screen switcher mode */
 		struct vt_mode *mode;
 		struct proc *p1;