Page MenuHomeFreeBSD

Require a valid base FPU state size.
ClosedPublic

Authored by jhb on Feb 16 2015, 8:54 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Feb 22, 2:10 PM
Unknown Object (File)
Feb 4 2025, 2:18 PM
Unknown Object (File)
Jan 26 2025, 9:55 PM
Unknown Object (File)
Jan 25 2025, 8:28 PM
Unknown Object (File)
Jan 25 2025, 7:38 PM
Unknown Object (File)
Jan 23 2025, 5:33 AM
Unknown Object (File)
Jan 23 2025, 5:02 AM
Unknown Object (File)
Jan 18 2025, 1:46 AM
Subscribers
None

Details

Summary

PT_SET_XSTATE assumes that the supplied data always includes a valid
savefpu, but it wasn't checking the data length to ensure that. This was
a bug in my changes to it, not in the original.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

jhb retitled this revision from to Require a valid base FPU state size..
jhb updated this object.
jhb edited the test plan for this revision. (Show Details)
jhb added reviewers: emaste, kib.
kib edited edge metadata.

So the real bug is passing negative length to fpusetregs.

This revision is now accepted and ready to land.Feb 16 2015, 9:21 PM
emaste edited edge metadata.

The negative length is one problem, but we would also be passing random kernel memory into the FPU state that could then be fetched via a PT_GETXSTATE. That is, if you passed a size of 1 then we would malloc(1), but store first 512 bytes into the fxsave state that could then later be retrieved (if the negative length didn't result in a panic).

jhb updated this revision to Diff 3849.

Closed by commit rS278976 (authored by @jhb).