svn commit: r356304 - in stable/12: sys/sys tests/sys/sys

Eric Joyner erj at FreeBSD.org
Thu Jan 2 23:05:49 UTC 2020 

Author: erj
Date: Thu Jan  2 23:05:48 2020
New Revision: 356304
URL: https://svnweb.freebsd.org/changeset/base/356304

Log:
  MFC r354975: bitstring: exit early if _start is past size of the bitstring
  
  This fixes a possible buffer read overflow.
  
  Sponsored by:	Intel Corporation

Modified:
  stable/12/sys/sys/bitstring.h
  stable/12/tests/sys/sys/bitstring_test.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/sys/bitstring.h
==============================================================================
--- stable/12/sys/sys/bitstring.h	Thu Jan  2 23:00:52 2020	(r356303)
+++ stable/12/sys/sys/bitstring.h	Thu Jan  2 23:05:48 2020	(r356304)
@@ -202,6 +202,11 @@ bit_ffs_at(bitstr_t *_bitstr, int _start, int _nbits, 
 	bitstr_t _test;
 	int _value, _offset;
 
+	if (_start >= _nbits) {
+		*_result = -1;
+		return;
+	}
+
 	if (_nbits > 0) {
 		_curbitstr = _bitstr + _bit_idx(_start);
 		_stopbitstr = _bitstr + _bit_idx(_nbits - 1);
@@ -230,6 +235,11 @@ bit_ffc_at(bitstr_t *_bitstr, int _start, int _nbits, 
 	bitstr_t *_stopbitstr;
 	bitstr_t _test;
 	int _value, _offset;
+
+	if (_start >= _nbits) {
+		*_result = -1;
+		return;
+	}
 
 	if (_nbits > 0) {
 		_curbitstr = _bitstr + _bit_idx(_start);

Modified: stable/12/tests/sys/sys/bitstring_test.c
==============================================================================
--- stable/12/tests/sys/sys/bitstring_test.c	Thu Jan  2 23:00:52 2020	(r356303)
+++ stable/12/tests/sys/sys/bitstring_test.c	Thu Jan  2 23:05:48 2020	(r356304)
@@ -246,6 +246,17 @@ BITSTRING_TC_DEFINE(bit_ffs_at)
 			    nbits, memloc, i, found_set_bit);
 		}
 	}
+
+	/* Pass a start value beyond the size of the bit string */
+	bit_ffs_at(bitstr, nbits, nbits, &found_set_bit);
+	ATF_REQUIRE_MSG(found_set_bit == -1,
+			"bit_ffs_at_%d_%s: Failed with high start value of %d, Result %d",
+			nbits, memloc, nbits, found_set_bit);
+
+	bit_ffs_at(bitstr, nbits + 3, nbits, &found_set_bit);
+	ATF_REQUIRE_MSG(found_set_bit == -1,
+			"bit_ffs_at_%d_%s: Failed with high start value of %d, Result %d",
+			nbits, memloc, nbits + 3, found_set_bit);
 }
 
 BITSTRING_TC_DEFINE(bit_ffc_at)
@@ -297,6 +308,17 @@ BITSTRING_TC_DEFINE(bit_ffc_at)
 			    nbits, memloc, i, found_clear_bit);
 		}
 	}
+
+	/* Pass a start value beyond the size of the bit string */
+	bit_ffc_at(bitstr, nbits, nbits, &found_clear_bit);
+	ATF_REQUIRE_MSG(found_clear_bit == -1,
+			"bit_ffc_at_%d_%s: Failed with high start value, Result %d",
+			nbits, memloc, found_clear_bit);
+
+	bit_ffc_at(bitstr, nbits + 3, nbits, &found_clear_bit);
+	ATF_REQUIRE_MSG(found_clear_bit == -1,
+			"bit_ffc_at_%d_%s: Failed with high start value of %d, Result %d",
+			nbits, memloc, nbits + 3, found_clear_bit);
 }
 
 BITSTRING_TC_DEFINE(bit_nclear)

More information about the svn-src-stable mailing list