[Midnightbsd-cvs] src [7469] trunk: Incorrect argument validation in sysarch(2)

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Thu Mar 17 08:46:05 EDT 2016 

Revision: 7469
          http://svnweb.midnightbsd.org/src/?rev=7469
Author:   laffer1
Date:     2016-03-17 08:46:04 -0400 (Thu, 17 Mar 2016)
Log Message:
-----------
Incorrect argument validation in sysarch(2)

        A special combination of sysarch(2) arguments, specify a request to
        uninstall a set of descriptors from the LDT.  The start descriptor
        is cleared and the number of descriptors are provided.  Due to invalid
        use of a signed intermediate value in the bounds checking during argument
        validity verification, unbound zero'ing of the process LDT and adjacent
        memory can be initiated from usermode.

Obtained from: FreeBSD.

Modified Paths:
--------------
    trunk/UPDATING
    trunk/sys/amd64/amd64/sys_machdep.c

Modified: trunk/UPDATING
===================================================================
--- trunk/UPDATING	2016-03-17 12:36:44 UTC (rev 7468)
+++ trunk/UPDATING	2016-03-17 12:46:04 UTC (rev 7469)
@@ -6,6 +6,17 @@
 	Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
 	run shell commands on the call to xauth.
 
+	Incorrect argument validation in sysarch(2)
+
+	A special combination of sysarch(2) arguments, specify a request to
+	uninstall a set of descriptors from the LDT.  The start descriptor
+	is cleared and the number of descriptors are provided.  Due to invalid
+	use of a signed intermediate value in the bounds checking during argument
+	validity verification, unbound zero'ing of the process LDT and adjacent
+	memory can be initiated from usermode.
+
+	Patch obtained from FreeBSD.
+
 20160229:
 	top now displays information on ZFS arc cache.
 

Modified: trunk/sys/amd64/amd64/sys_machdep.c
===================================================================
--- trunk/sys/amd64/amd64/sys_machdep.c	2016-03-17 12:36:44 UTC (rev 7468)
+++ trunk/sys/amd64/amd64/sys_machdep.c	2016-03-17 12:46:04 UTC (rev 7469)
@@ -586,8 +586,8 @@
 	struct i386_ldt_args *uap;
 	struct user_segment_descriptor *descs;
 {
-	int error = 0, i;
-	int largest_ld;
+	int error = 0;
+	unsigned int largest_ld, i;
 	struct mdproc *mdp = &td->td_proc->p_md;
 	struct proc_ldt *pldt;
 	struct user_segment_descriptor *dp;

More information about the Midnightbsd-cvs mailing list