Author: emaste
Date: Thu Nov 28 02:15:45 2019
New Revision: 355159
URL: https://svnweb.freebsd.org/changeset/base/355159
Log:
MFC r355101, r355104: cfi: check for inter overflow in cfi_devioctl
Reported by: Pietro Oliva
Security: Possible OOB read in root-only ioctl
Sponsored by: The FreeBSD Foundation
Modified:
stable/11/sys/dev/cfi/cfi_dev.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/dev/cfi/cfi_dev.c
==============================================================================
--- stable/11/sys/dev/cfi/cfi_dev.c Thu Nov 28 02:12:33 2019
(r355158)
+++ stable/11/sys/dev/cfi/cfi_dev.c Thu Nov 28 02:15:45 2019
(r355159)
@@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$");
#include <sys/conf.h>
#include <sys/ioccom.h>
#include <sys/kernel.h>
+#include <sys/limits.h>
#include <sys/malloc.h>
#include <sys/proc.h>
#include <sys/sysctl.h>
@@ -278,7 +279,8 @@ cfi_devioctl(struct cdev *dev, u_long cmd, caddr_t dat
rq = (struct cfiocqry *)data;
if (rq->offset >= sc->sc_size / sc->sc_width)
return (ESPIPE);
- if (rq->offset + rq->count > sc->sc_size / sc->sc_width)
+ if (rq->offset > ULONG_MAX - rq->count ||
+ rq->offset + rq->count > sc->sc_size / sc->sc_width)
return (ENOSPC);
while (!error && rq->count--) {
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
