Check for overflow and return EINVAL if detected. Backport this and

r300305 to i386.

PR:	209661
Reported and reviewed by:	cturt
Sponsored by:	The FreeBSD Foundation
MFC after:	3 days
This commit is contained in:
kib 2016-05-20 19:50:32 +00:00
parent ed372eaa9f
commit 515614230c
2 changed files with 6 additions and 3 deletions

View File

@ -344,7 +344,8 @@ amd64_set_ioperm(td, uap)
return (error);
if ((error = securelevel_gt(td->td_ucred, 0)) != 0)
return (error);
if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
if (uap->start > uap->start + uap->length ||
uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
return (EINVAL);
/*

View File

@ -315,8 +315,9 @@ i386_set_ioperm(td, uap)
struct thread *td;
struct i386_ioperm_args *uap;
{
int i, error;
char *iomap;
u_int i;
int error;
if ((error = priv_check(td, PRIV_IO)) != 0)
return (error);
@ -334,7 +335,8 @@ i386_set_ioperm(td, uap)
return (error);
iomap = (char *)td->td_pcb->pcb_ext->ext_iomap;
if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
if (uap->start > uap->start + uap->length ||
uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY)
return (EINVAL);
for (i = uap->start; i < uap->start + uap->length; i++) {