From 8e9151d4be2cbbf2fcb4904ec47ae8b8f2e29304 Mon Sep 17 00:00:00 2001 From: tedu Date: Thu, 14 Jul 2016 02:35:17 +0000 Subject: [PATCH] kevent validates that ident is a valid fd by getting the file. one sad quirk: uint64 to int32 truncation can lead to false positives, and then later in the array sizing code, very big mallocs panic the kernel. add a check that the ident isn't larger than INT_MAX in the fd case. reported by Tim Newsham --- sys/kern/kern_event.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c index 846e29f182b..3010c198b37 100644 --- a/sys/kern/kern_event.c +++ b/sys/kern/kern_event.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_event.c,v 1.72 2016/05/13 19:05:07 tedu Exp $ */ +/* $OpenBSD: kern_event.c,v 1.73 2016/07/14 02:35:17 tedu Exp $ */ /*- * Copyright (c) 1999,2000,2001 Jonathan Lemon @@ -572,6 +572,8 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct proc *p) if (fops->f_isfd) { /* validate descriptor */ + if (kev->ident > INT_MAX) + return (EBADF); if ((fp = fd_getfile(fdp, kev->ident)) == NULL) return (EBADF); FREF(fp); -- 2.20.1