artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5a3c1e4)
kevent validates that ident is a valid fd by getting the file. one sad
authortedu <tedu@openbsd.org>
Thu, 14 Jul 2016 02:35:17 +0000 (02:35 +0000)
committertedu <tedu@openbsd.org>
Thu, 14 Jul 2016 02:35:17 +0000 (02:35 +0000)
quirk: uint64 to int32 truncation can lead to false positives, and then
later in the array sizing code, very big mallocs panic the kernel.
add a check that the ident isn't larger than INT_MAX in the fd case.
reported by Tim Newsham

sys/kern/kern_event.c patch | blob | history

diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 846e29f..3010c19 100644 (file)
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: kern_event.c,v 1.72 2016/05/13 19:05:07 tedu Exp $    */
+/*     $OpenBSD: kern_event.c,v 1.73 2016/07/14 02:35:17 tedu Exp $    */
 
 /*-
  * Copyright (c) 1999,2000,2001 Jonathan Lemon <jlemon@FreeBSD.org>
@@ -572,6 +572,8 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct proc *p)
 
        if (fops->f_isfd) {
                /* validate descriptor */
+               if (kev->ident > INT_MAX)
+                       return (EBADF);
                if ((fp = fd_getfile(fdp, kev->ident)) == NULL)
                        return (EBADF);
                FREF(fp);
OpenBSD src
by Ahmet Artu Yildirim