Module Name: src Committed By: nia Date: Fri Oct 9 09:03:55 UTC 2020
Modified Files: src/sys/kern: tty.c Log Message: tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int) The valid sizes of the tty input and output queues (according to the man page) are between 1024 and 65536 and input values are converted to a power of two. The check on the validity of the range is done after the input values are converted, however, which means that a hostile program can attempt to set the queue size to a negative value, and cause integer overflow before the range is validated. Detected by UBSan Reported-by: syzbot+521b73969fd233c49...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.289 -r1.290 src/sys/kern/tty.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/tty.c diff -u src/sys/kern/tty.c:1.289 src/sys/kern/tty.c:1.290 --- src/sys/kern/tty.c:1.289 Wed Aug 26 16:36:32 2020 +++ src/sys/kern/tty.c Fri Oct 9 09:03:55 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: tty.c,v 1.289 2020/08/26 16:36:32 maxv Exp $ */ +/* $NetBSD: tty.c,v 1.290 2020/10/09 09:03:55 nia Exp $ */ /*- * Copyright (c) 2008, 2020 The NetBSD Foundation, Inc. @@ -63,7 +63,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: tty.c,v 1.289 2020/08/26 16:36:32 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: tty.c,v 1.290 2020/10/09 09:03:55 nia Exp $"); #ifdef _KERNEL_OPT #include "opt_compat_netbsd.h" @@ -226,7 +226,7 @@ int tty_qsize = TTY_MINQSIZE; static int tty_get_qsize(int *qsize, int newsize) { - if (newsize == 0) + if (newsize <= 0) return EINVAL; newsize = 1 << ilog2(newsize); /* Make it a power of two */