Author: erj
Date: Thu Jan 2 23:05:48 2020
New Revision: 356304
URL: https://svnweb.freebsd.org/changeset/base/356304
Log:
MFC r354975: bitstring: exit early if _start is past size of the bitstring
This fixes a possible buffer read overflow.
Sponsored by: Intel Corporation
Modified:
stable/12/sys/sys/bitstring.h
stable/12/tests/sys/sys/bitstring_test.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/sys/bitstring.h
==============================================================================
--- stable/12/sys/sys/bitstring.h Thu Jan 2 23:00:52 2020
(r356303)
+++ stable/12/sys/sys/bitstring.h Thu Jan 2 23:05:48 2020
(r356304)
@@ -202,6 +202,11 @@ bit_ffs_at(bitstr_t *_bitstr, int _start, int _nbits,
bitstr_t _test;
int _value, _offset;
+ if (_start >= _nbits) {
+ *_result = -1;
+ return;
+ }
+
if (_nbits > 0) {
_curbitstr = _bitstr + _bit_idx(_start);
_stopbitstr = _bitstr + _bit_idx(_nbits - 1);
@@ -230,6 +235,11 @@ bit_ffc_at(bitstr_t *_bitstr, int _start, int _nbits,
bitstr_t *_stopbitstr;
bitstr_t _test;
int _value, _offset;
+
+ if (_start >= _nbits) {
+ *_result = -1;
+ return;
+ }
if (_nbits > 0) {
_curbitstr = _bitstr + _bit_idx(_start);
Modified: stable/12/tests/sys/sys/bitstring_test.c
==============================================================================
--- stable/12/tests/sys/sys/bitstring_test.c Thu Jan 2 23:00:52 2020
(r356303)
+++ stable/12/tests/sys/sys/bitstring_test.c Thu Jan 2 23:05:48 2020
(r356304)
@@ -246,6 +246,17 @@ BITSTRING_TC_DEFINE(bit_ffs_at)
nbits, memloc, i, found_set_bit);
}
}
+
+ /* Pass a start value beyond the size of the bit string */
+ bit_ffs_at(bitstr, nbits, nbits, &found_set_bit);
+ ATF_REQUIRE_MSG(found_set_bit == -1,
+ "bit_ffs_at_%d_%s: Failed with high start value of %d,
Result %d",
+ nbits, memloc, nbits, found_set_bit);
+
+ bit_ffs_at(bitstr, nbits + 3, nbits, &found_set_bit);
+ ATF_REQUIRE_MSG(found_set_bit == -1,
+ "bit_ffs_at_%d_%s: Failed with high start value of %d,
Result %d",
+ nbits, memloc, nbits + 3, found_set_bit);
}
BITSTRING_TC_DEFINE(bit_ffc_at)
@@ -297,6 +308,17 @@ BITSTRING_TC_DEFINE(bit_ffc_at)
nbits, memloc, i, found_clear_bit);
}
}
+
+ /* Pass a start value beyond the size of the bit string */
+ bit_ffc_at(bitstr, nbits, nbits, &found_clear_bit);
+ ATF_REQUIRE_MSG(found_clear_bit == -1,
+ "bit_ffc_at_%d_%s: Failed with high start value, Result
%d",
+ nbits, memloc, found_clear_bit);
+
+ bit_ffc_at(bitstr, nbits + 3, nbits, &found_clear_bit);
+ ATF_REQUIRE_MSG(found_clear_bit == -1,
+ "bit_ffc_at_%d_%s: Failed with high start value of %d,
Result %d",
+ nbits, memloc, nbits + 3, found_clear_bit);
}
BITSTRING_TC_DEFINE(bit_nclear)
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
