d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Although aio_nbytes is size_t, later is is signed to

Browse Source 
casted types: to ssize_t in filesystem code and to
int in buf code, thus supplying a negative argument
leads to kernel panic later. To fix that check user
supplied argument in the beginning of syscall.

Submitted by:	Maxim Dounin <mdounin mdounin.ru>, maxim@
This commit is contained in:
Gleb Smirnoff 2012-01-26 11:59:48 +00:00
parent 2930db16a0
commit 434ea137cc
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/kern/vfs_aio.c
View File

@ -1552,6 +1552,12 @@ aio_aqueue(struct thread *td, struct aiocb *job, struct aioliojob *lj,
return (error);
}
/* XXX: aio_nbytes is later casted to signed types. */
if ((int)aiocbe->uaiocb.aio_nbytes < 0) {
uma_zfree(aiocb_zone, aiocbe);
return (EINVAL);
}
if (aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_KEVENT &&
aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_SIGNAL &&
aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_THREAD_ID &&