Author: emaste
Date: Mon Nov 25 21:21:37 2019
New Revision: 355101
URL: https://svnweb.freebsd.org/changeset/base/355101
Log:
cfi: check for inter overflow in cfi_devioctl
Reported by: Pietro Oliva
Reviewed by: markj
MFC after: 3 days
Security: Possible OOB read in root-only ioctl
Sponsored by: The FreeBSD Foundation
Modified:
head/sys/dev/cfi/cfi_dev.c
Modified: head/sys/dev/cfi/cfi_dev.c
==============================================================================
--- head/sys/dev/cfi/cfi_dev.c Mon Nov 25 19:59:53 2019 (r355100)
+++ head/sys/dev/cfi/cfi_dev.c Mon Nov 25 21:21:37 2019 (r355101)
@@ -280,7 +280,8 @@ cfi_devioctl(struct cdev *dev, u_long cmd, caddr_t dat
rq = (struct cfiocqry *)data;
if (rq->offset >= sc->sc_size / sc->sc_width)
return (ESPIPE);
- if (rq->offset + rq->count > sc->sc_size / sc->sc_width)
+ if (rq->offset > ULONG_MAX - rq->count ||
+ rq->offset + rq->count > sc->sc_size / sc->sc_width)
return (ENOSPC);
while (!error && rq->count--) {
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
