The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=91d0876a20cee993f3cd17b4638e779c6975d15b
commit 91d0876a20cee993f3cd17b4638e779c6975d15b Author: John Baldwin <[email protected]> AuthorDate: 2023-08-17 22:26:16 +0000 Commit: John Baldwin <[email protected]> CommitDate: 2023-08-17 22:26:16 +0000 arm64 makectx: Fix overflow of tf_x array PCB_LR isn't stored in tf_x, so trying to store it as pcb_x[PCB_LR] = tf->tf_x[PCB_LR + PCB_X_START] overflowed the tf_x array. Reported by: Morello (bounds check crash) Reviewed by: jrtc27, andrew, markj Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D41485 --- sys/arm64/arm64/machdep.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/sys/arm64/arm64/machdep.c b/sys/arm64/arm64/machdep.c index 2a26da3d65b6..4bfbfcaa91bd 100644 --- a/sys/arm64/arm64/machdep.c +++ b/sys/arm64/arm64/machdep.c @@ -359,11 +359,14 @@ makectx(struct trapframe *tf, struct pcb *pcb) { int i; - for (i = 0; i < nitems(pcb->pcb_x); i++) - pcb->pcb_x[i] = tf->tf_x[i + PCB_X_START]; - /* NB: pcb_x[PCB_LR] is the PC, see PC_REGS() in db_machdep.h */ - pcb->pcb_x[PCB_LR] = tf->tf_elr; + for (i = 0; i < nitems(pcb->pcb_x); i++) { + if (i == PCB_LR) + pcb->pcb_x[i] = tf->tf_elr; + else + pcb->pcb_x[i] = tf->tf_x[i + PCB_X_START]; + } + pcb->pcb_sp = tf->tf_sp; }
