The branch stable/14 has been updated by markj:
URL:
https://cgit.FreeBSD.org/src/commit/?id=74a0b890848362f1a4115972262a518f3d83f504
commit 74a0b890848362f1a4115972262a518f3d83f504
Author: Mark Johnston <ma...@freebsd.org>
AuthorDate: 2025-03-29 08:54:48 +0000
Commit: Mark Johnston <ma...@freebsd.org>
CommitDate: 2025-04-15 02:25:24 +0000
ptrace: Do not pass a negative resid to proc_rwmem()
While here, avoid truncting uio_resid in proc_rwmem().
Reviewed by: kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D49479
(cherry picked from commit 1a80a157cbe823ba75bb88823dbf1b245fe87c99)
---
sys/kern/sys_process.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index 19fe8bcc7627..497084f83563 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -393,7 +393,7 @@ proc_rwmem(struct proc *p, struct uio *uio)
/*
* How many bytes to copy
*/
- len = min(PAGE_SIZE - page_offset, uio->uio_resid);
+ len = MIN(PAGE_SIZE - page_offset, uio->uio_resid);
/*
* Fault and hold the page on behalf of the process.
@@ -1388,6 +1388,10 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void
*addr, int data)
case PT_IO:
piod = addr;
+ if (piod->piod_len > SSIZE_MAX) {
+ error = EINVAL;
+ goto out;
+ }
iov.iov_base = piod->piod_addr;
iov.iov_len = piod->piod_len;
uio.uio_offset = (off_t)(uintptr_t)piod->piod_offs;
