The argument validation in r296956 was not enough to close all possible

overflows in sysarch(2). Submitted by: Kun Yang <kun.yang chaitin.com> Patch by: kib Security: SA-16:15
2016-10-25 17:13:46 +00:00 · 2016-10-25 17:13:46 +00:00 · 856adf7415
commit 856adf7415
parent 038f108fc2
1 changed files with 4 additions and 1 deletions
--- a/sys/amd64/amd64/sys_machdep.c
+++ b/sys/amd64/amd64/sys_machdep.c
@ -608,6 +608,8 @@ amd64_set_ldt(td, uap, descs)
 		largest_ld = uap->start + uap->num;
 		if (largest_ld > max_ldt_segment)
 			largest_ld = max_ldt_segment;
+		if (largest_ld < uap->start)
+			return (EINVAL);
 		i = largest_ld - uap->start;
 		mtx_lock(&dt_lock);
 		bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
@ -620,7 +622,8 @@ amd64_set_ldt(td, uap, descs)
 		/* verify range of descriptors to modify */
 		largest_ld = uap->start + uap->num;
 		if (uap->start >= max_ldt_segment ||
-		    largest_ld > max_ldt_segment)
+		    largest_ld > max_ldt_segment ||
+		    largest_ld < uap->start)
 			return (EINVAL);
 	}