svn commit: r278106 - in stable: 10/sys/dev/vt 9/sys/dev/vt

Xin LI delphij at FreeBSD.org
Mon Feb 2 18:48:51 UTC 2015 

Author: delphij
Date: Mon Feb  2 18:48:49 2015
New Revision: 278106
URL: https://svnweb.freebsd.org/changeset/base/278106

Log:
  MFC r277806:
  
  Use unsigned int for index value.
  
  Without this change a local attacker could trigger a panic by
  tricking the kernel into accessing undefined kernel memory.
  
  We would like to acknowledge Francisco Falcon from CORE Security
  Technologies who discovered the issue and reported to the
  FreeBSD Security Team.
  
  More information can be found at CORE Security's advisory at:
  http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities
  
  This is an errata candidate for releng/10.1 and releng/9.3.  Earlier
  releases are not affected.
  
  Reported by:  Francisco Falcon from CORE Security Technologies
  Security:     CVE-2014-0998
  Reviewed by:  dumbbell

Modified:
  stable/9/sys/dev/vt/vt_core.c
Directory Properties:
  stable/9/sys/   (props changed)
  stable/9/sys/dev/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/10/sys/dev/vt/vt_core.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/9/sys/dev/vt/vt_core.c
==============================================================================
--- stable/9/sys/dev/vt/vt_core.c	Mon Feb  2 18:20:10 2015	(r278105)
+++ stable/9/sys/dev/vt/vt_core.c	Mon Feb  2 18:48:49 2015	(r278106)
@@ -1718,20 +1718,23 @@ skip_thunk:
 		}
 		VT_UNLOCK(vd);
 		return (EINVAL);
-	case VT_WAITACTIVE:
+	case VT_WAITACTIVE: {
+		unsigned int idx;
+
 		error = 0;
 
-		i = *(unsigned int *)data;
-		if (i > VT_MAXWINDOWS)
+		idx = *(unsigned int *)data;
+		if (idx > VT_MAXWINDOWS)
 			return (EINVAL);
-		if (i != 0)
-			vw = vd->vd_windows[i - 1];
+		if (idx > 0)
+			vw = vd->vd_windows[idx - 1];
 
 		VT_LOCK(vd);
 		while (vd->vd_curwindow != vw && error == 0)
 			error = cv_wait_sig(&vd->vd_winswitch, &vd->vd_lock);
 		VT_UNLOCK(vd);
 		return (error);
+	}
 	case VT_SETMODE: {    	/* set screen switcher mode */
 		struct vt_mode *mode;
 		struct proc *p1;

More information about the svn-src-stable-9 mailing list