The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f88510077377157008f648b7036e1d1c9c83ea23
commit f88510077377157008f648b7036e1d1c9c83ea23 Author: Mark Johnston <[email protected]> AuthorDate: 2021-05-27 19:49:12 +0000 Commit: Mark Johnston <[email protected]> CommitDate: 2021-05-27 19:52:20 +0000 ktrace: Handle negative array sizes in ktrstructarray ktrstructarray() may be used to create copies of kevent(2) change and event arrays. It is called before parameter validation is done and so should check for bogus array lengths before allocating a copy. Reported by: syzkaller Reviewed by: kib MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30479 --- sys/kern/kern_ktrace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 9059a75f571c..dc064d9ebd67 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -878,6 +878,8 @@ ktrstructarray(const char *name, enum uio_seg seg, const void *data, if (__predict_false(curthread->td_pflags & TDP_INKTRACE)) return; + if (num_items < 0) + return; /* Trim array length to genio size. */ max_items = ktr_geniosize / struct_size; _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
