git: f88510077377 - main - ktrace: Handle negative array sizes in ktrstructarray
Mark Johnston
markj at FreeBSD.org
Thu May 27 19:53:21 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=f88510077377157008f648b7036e1d1c9c83ea23
commit f88510077377157008f648b7036e1d1c9c83ea23
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-05-27 19:49:12 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-05-27 19:52:20 +0000
ktrace: Handle negative array sizes in ktrstructarray
ktrstructarray() may be used to create copies of kevent(2) change and
event arrays. It is called before parameter validation is done and so
should check for bogus array lengths before allocating a copy.
Reported by: syzkaller
Reviewed by: kib
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D30479
---
sys/kern/kern_ktrace.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 9059a75f571c..dc064d9ebd67 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -878,6 +878,8 @@ ktrstructarray(const char *name, enum uio_seg seg, const void *data,
if (__predict_false(curthread->td_pflags & TDP_INKTRACE))
return;
+ if (num_items < 0)
+ return;
/* Trim array length to genio size. */
max_items = ktr_geniosize / struct_size;
More information about the dev-commits-src-main
mailing list