svn commit: r355101 - head/sys/dev/cfi
Ed Maste
emaste at FreeBSD.org
Mon Nov 25 21:21:38 UTC 2019
Author: emaste
Date: Mon Nov 25 21:21:37 2019
New Revision: 355101
URL: https://svnweb.freebsd.org/changeset/base/355101
Log:
cfi: check for inter overflow in cfi_devioctl
Reported by: Pietro Oliva
Reviewed by: markj
MFC after: 3 days
Security: Possible OOB read in root-only ioctl
Sponsored by: The FreeBSD Foundation
Modified:
head/sys/dev/cfi/cfi_dev.c
Modified: head/sys/dev/cfi/cfi_dev.c
==============================================================================
--- head/sys/dev/cfi/cfi_dev.c Mon Nov 25 19:59:53 2019 (r355100)
+++ head/sys/dev/cfi/cfi_dev.c Mon Nov 25 21:21:37 2019 (r355101)
@@ -280,7 +280,8 @@ cfi_devioctl(struct cdev *dev, u_long cmd, caddr_t dat
rq = (struct cfiocqry *)data;
if (rq->offset >= sc->sc_size / sc->sc_width)
return (ESPIPE);
- if (rq->offset + rq->count > sc->sc_size / sc->sc_width)
+ if (rq->offset > ULONG_MAX - rq->count ||
+ rq->offset + rq->count > sc->sc_size / sc->sc_width)
return (ENOSPC);
while (!error && rq->count--) {
More information about the svn-src-all
mailing list