From: tedu Date: Thu, 14 Jul 2016 02:35:17 +0000 (+0000) Subject: kevent validates that ident is a valid fd by getting the file. one sad X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=8e9151d4be2cbbf2fcb4904ec47ae8b8f2e29304;p=openbsd kevent validates that ident is a valid fd by getting the file. one sad quirk: uint64 to int32 truncation can lead to false positives, and then later in the array sizing code, very big mallocs panic the kernel. add a check that the ident isn't larger than INT_MAX in the fd case. reported by Tim Newsham --- diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c index 846e29f182b..3010c198b37 100644 --- a/sys/kern/kern_event.c +++ b/sys/kern/kern_event.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_event.c,v 1.72 2016/05/13 19:05:07 tedu Exp $ */ +/* $OpenBSD: kern_event.c,v 1.73 2016/07/14 02:35:17 tedu Exp $ */ /*- * Copyright (c) 1999,2000,2001 Jonathan Lemon @@ -572,6 +572,8 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct proc *p) if (fops->f_isfd) { /* validate descriptor */ + if (kev->ident > INT_MAX) + return (EBADF); if ((fp = fd_getfile(fdp, kev->ident)) == NULL) return (EBADF); FREF(fp);