Module Name: src Committed By: nia Date: Fri Oct 9 09:03:55 UTC 2020
Modified Files: src/sys/kern: tty.c Log Message: tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int) The valid sizes of the tty input and output queues (according to the man page) are between 1024 and 65536 and input values are converted to a power of two. The check on the validity of the range is done after the input values are converted, however, which means that a hostile program can attempt to set the queue size to a negative value, and cause integer overflow before the range is validated. Detected by UBSan Reported-by: syzbot+521b73969fd233c49...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.289 -r1.290 src/sys/kern/tty.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.