d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

If the trap number stored in the trapframe is corrupted into a negative

Browse Source 
value, then we would use a negative index into the trap_msg[] array
resulting in a nested page fault.  Make the 'type' variable holding the
trap number unsigned to avoid this.

MFC after:	2 weeks
Approved by:	re (rwatson)
This commit is contained in:
John Baldwin 2007-07-26 15:32:55 +00:00
parent bb5ba44f82
commit de016534a8
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/amd64/amd64/trap.c
View File

@ -159,7 +159,8 @@ trap(struct trapframe *frame)
{
struct thread *td = curthread;
struct proc *p = td->td_proc;
int i = 0, ucode = 0, type, code;
int i = 0, ucode = 0, code;
u_int type;
register_t addr = 0;
ksiginfo_t ksi;
@ -622,7 +623,8 @@ trap_fatal(frame, eva)
struct trapframe *frame;
vm_offset_t eva;
{
int code, type, ss;
int code, ss;
u_int type;
long esp;
struct soft_segment_descriptor softseg;
char *msg;

6
sys/i386/i386/trap.c
View File

@ -173,7 +173,8 @@ trap(struct trapframe *frame)
{
struct thread *td = curthread;
struct proc *p = td->td_proc;
int i = 0, ucode = 0, type, code;
int i = 0, ucode = 0, code;
u_int type;
register_t addr = 0;
vm_offset_t eva;
ksiginfo_t ksi;
@ -793,7 +794,8 @@ trap_fatal(frame, eva)
struct trapframe *frame;
vm_offset_t eva;
{
int code, type, ss, esp;
int code, ss, esp;
u_int type;
struct soft_segment_descriptor softseg;
char *msg;