Module Name: src Committed By: christos Date: Thu Jul 14 06:22:17 UTC 2016
Modified Files: src/sys/kern: kern_event.c Log Message: >From tedu at openbsd: kevent validates that ident is a valid fd by getting the file. one sad quirk: uint64 to int32 truncation can lead to false positives, and then later in the array sizing code, very big mallocs panic the kernel. add a check that the ident isn't larger than INT_MAX in the fd case. reported by Tim Newsham To generate a diff of this commit: cvs rdiff -u -r1.86 -r1.87 src/sys/kern/kern_event.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/kern_event.c diff -u src/sys/kern/kern_event.c:1.86 src/sys/kern/kern_event.c:1.87 --- src/sys/kern/kern_event.c:1.86 Mon Apr 4 16:47:57 2016 +++ src/sys/kern/kern_event.c Thu Jul 14 02:22:17 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_event.c,v 1.86 2016/04/04 20:47:57 christos Exp $ */ +/* $NetBSD: kern_event.c,v 1.87 2016/07/14 06:22:17 christos Exp $ */ /*- * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. @@ -58,7 +58,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: kern_event.c,v 1.86 2016/04/04 20:47:57 christos Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_event.c,v 1.87 2016/07/14 06:22:17 christos Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -935,6 +935,9 @@ kqueue_register(struct kqueue *kq, struc /* search if knote already exists */ if (kfilter->filtops->f_isfd) { /* monitoring a file descriptor */ + /* validate descriptor */ + if (kev->ident > INT_MAX) + return EBADF; fd = kev->ident; if ((fp = fd_getfile(fd)) == NULL) { rw_exit(&kqueue_filter_lock);