git: 0ae946e7223d - main - vt: Avoid integer overflow in CONS_HISTORY ioctl

Fri, 05 Jun 2026 10:56:38 -0700 

The branch main has been updated by emaste:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=0ae946e7223df5ef3f7980af1d774d7f593f6421

commit 0ae946e7223df5ef3f7980af1d774d7f593f6421
Author:     Ed Maste <[email protected]>
AuthorDate: 2026-05-26 16:19:47 +0000
Commit:     Ed Maste <[email protected]>
CommitDate: 2026-06-05 17:56:12 +0000

    vt: Avoid integer overflow in CONS_HISTORY ioctl
    
    Reviewed by:    markj, vexeduxr
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D57250
---
 sys/dev/vt/vt_buf.c  | 9 ++++-----
 sys/dev/vt/vt_core.c | 6 ++++--
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/sys/dev/vt/vt_buf.c b/sys/dev/vt/vt_buf.c
index 8596342c139a..9b65a7cb889c 100644
--- a/sys/dev/vt/vt_buf.c
+++ b/sys/dev/vt/vt_buf.c
@@ -529,7 +529,6 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, unsigned 
int history_size)
 {
        term_char_t *old, *new, **rows, **oldrows, **copyrows, *row, *oldrow;
        unsigned int w, h, c, r, old_history_size;
-       size_t bufsize, rowssize;
        int history_full;
        const teken_attr_t *a;
        term_char_t ch;
@@ -540,10 +539,10 @@ vtbuf_grow(struct vt_buf *vb, const term_pos_t *p, 
unsigned int history_size)
        history_size = MAX(history_size, p->tp_row);
 
        /* Allocate new buffer. */
-       bufsize = history_size * p->tp_col * sizeof(term_char_t);
-       new = malloc(bufsize, M_VTBUF, M_WAITOK | M_ZERO);
-       rowssize = history_size * sizeof(term_pos_t *);
-       rows = malloc(rowssize, M_VTBUF, M_WAITOK | M_ZERO);
+       new = mallocarray(history_size, p->tp_col * sizeof(term_char_t),
+           M_VTBUF, M_WAITOK | M_ZERO);
+       rows = mallocarray(history_size, sizeof(term_pos_t *), M_VTBUF,
+           M_WAITOK | M_ZERO);
 
        /* Toggle it. */
        VTBUF_LOCK(vb);
diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c
index db54cb426844..81487d27a6fc 100644
--- a/sys/dev/vt/vt_core.c
+++ b/sys/dev/vt/vt_core.c
@@ -40,6 +40,7 @@
 #include <sys/kbio.h>
 #include <sys/kdb.h>
 #include <sys/kernel.h>
+#include <sys/limits.h>
 #include <sys/linker.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -2802,8 +2803,9 @@ skip_thunk:
                /* XXX */
                return (0);
        case CONS_HISTORY:
-               if (*(int *)data < 0)
-                       return EINVAL;
+               if (*(int *)data < 0 ||
+                   *(int *)data > UINT_MAX / USHRT_MAX / sizeof(term_char_t))
+                       return (EINVAL);
                if (*(int *)data != vw->vw_buf.vb_history_size)
                        vtbuf_sethistory_size(&vw->vw_buf, *(int *)data);
                return (0);

Reply via email to