svn commit: r296956 - head/sys/amd64/amd64

[Gleb Smirnoff]

Author: glebius
Date: Wed Mar 16 22:33:12 2016
New Revision: 296956
URL: https://svnweb.freebsd.org/changeset/base/296956

Log:
  Due to invalid use of a signed intermediate value in the bounds checking
  during argument validity verification, unbound zero'ing of the process LDT
  and adjacent memory can be initiated from usermode.
  
  Submitted by: CORE Security
  Patch by:     kib
  Security:     SA-16:15

Modified:
  head/sys/amd64/amd64/sys_machdep.c

Modified: head/sys/amd64/amd64/sys_machdep.c
==============================================================================
--- head/sys/amd64/amd64/sys_machdep.c  Wed Mar 16 22:31:04 2016        
(r296955)
+++ head/sys/amd64/amd64/sys_machdep.c  Wed Mar 16 22:33:12 2016        
(r296956)
@@ -580,8 +580,8 @@ amd64_set_ldt(td, uap, descs)
        struct i386_ldt_args *uap;
        struct user_segment_descriptor *descs;
 {
-       int error = 0, i;
-       int largest_ld;
+       int error = 0;
+       unsigned int largest_ld, i;
        struct mdproc *mdp = &td->td_proc->p_md;
        struct proc_ldt *pldt;
        struct user_segment_descriptor *dp;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"