[Midnightbsd-cvs] src [7470] stable/0.7: Incorrect argument validation in sysarch(2)

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Thu Mar 17 08:47:39 EDT 2016 

Revision: 7470
          http://svnweb.midnightbsd.org/src/?rev=7470
Author:   laffer1
Date:     2016-03-17 08:47:38 -0400 (Thu, 17 Mar 2016)
Log Message:
-----------
        Incorrect argument validation in sysarch(2)

        A special combination of sysarch(2) arguments, specify a request to
        uninstall a set of descriptors from the LDT.  The start descriptor
        is cleared and the number of descriptors are provided.  Due to invalid
        use of a signed intermediate value in the bounds checking during argument
        validity verification, unbound zero'ing of the process LDT and adjacent
        memory can be initiated from usermode.

        Patch obtained from FreeBSD.

Modified Paths:
--------------
    stable/0.7/UPDATING
    stable/0.7/sys/amd64/amd64/sys_machdep.c

Modified: stable/0.7/UPDATING
===================================================================
--- stable/0.7/UPDATING	2016-03-17 12:46:04 UTC (rev 7469)
+++ stable/0.7/UPDATING	2016-03-17 12:47:38 UTC (rev 7470)
@@ -8,6 +8,17 @@
 	Fix a security issue with OpenSSH X11 forwarding that can allow an attacker
 	run shell commands on the call to xauth.
 
+        Incorrect argument validation in sysarch(2)
+
+        A special combination of sysarch(2) arguments, specify a request to
+        uninstall a set of descriptors from the LDT.  The start descriptor
+        is cleared and the number of descriptors are provided.  Due to invalid
+        use of a signed intermediate value in the bounds checking during argument
+        validity verification, unbound zero'ing of the process LDT and adjacent
+        memory can be initiated from usermode.
+
+        Patch obtained from FreeBSD.
+
 20160310:
 	MidnightBSD 0.7.5 RELEASE
 

Modified: stable/0.7/sys/amd64/amd64/sys_machdep.c
===================================================================
--- stable/0.7/sys/amd64/amd64/sys_machdep.c	2016-03-17 12:46:04 UTC (rev 7469)
+++ stable/0.7/sys/amd64/amd64/sys_machdep.c	2016-03-17 12:47:38 UTC (rev 7470)
@@ -586,8 +586,8 @@
 	struct i386_ldt_args *uap;
 	struct user_segment_descriptor *descs;
 {
-	int error = 0, i;
-	int largest_ld;
+	int error = 0;
+	unsigned int largest_ld, i;
 	struct mdproc *mdp = &td->td_proc->p_md;
 	struct proc_ldt *pldt;
 	struct user_segment_descriptor *dp;

More information about the Midnightbsd-cvs mailing list