Module Name: src
Committed By: christos
Date: Thu Jul 14 06:22:17 UTC 2016
Modified Files:
src/sys/kern: kern_event.c
Log Message:
>From tedu at openbsd:
kevent validates that ident is a valid fd by getting the file. one sad
quirk: uint64 to int32 truncation can lead to false positives, and then
later in the array sizing code, very big mallocs panic the kernel.
add a check that the ident isn't larger than INT_MAX in the fd case.
reported by Tim Newsham
To generate a diff of this commit:
cvs rdiff -u -r1.86 -r1.87 src/sys/kern/kern_event.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/kern_event.c
diff -u src/sys/kern/kern_event.c:1.86 src/sys/kern/kern_event.c:1.87
--- src/sys/kern/kern_event.c:1.86 Mon Apr 4 16:47:57 2016
+++ src/sys/kern/kern_event.c Thu Jul 14 02:22:17 2016
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_event.c,v 1.86 2016/04/04 20:47:57 christos Exp $ */
+/* $NetBSD: kern_event.c,v 1.87 2016/07/14 06:22:17 christos Exp $ */
/*-
* Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -58,7 +58,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_event.c,v 1.86 2016/04/04 20:47:57 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_event.c,v 1.87 2016/07/14 06:22:17 christos Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -935,6 +935,9 @@ kqueue_register(struct kqueue *kq, struc
/* search if knote already exists */
if (kfilter->filtops->f_isfd) {
/* monitoring a file descriptor */
+ /* validate descriptor */
+ if (kev->ident > INT_MAX)
+ return EBADF;
fd = kev->ident;
if ((fp = fd_getfile(fd)) == NULL) {
rw_exit(&kqueue_filter_lock);
