Page MenuHomeFreeBSD

Require a valid base FPU state size.
ClosedPublic

Authored by jhb on Feb 16 2015, 8:54 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Jan 23, 5:33 AM
Unknown Object (File)
Thu, Jan 23, 5:02 AM
Unknown Object (File)
Sat, Jan 18, 1:46 AM
Unknown Object (File)
Nov 30 2024, 12:23 PM
Unknown Object (File)
Nov 22 2024, 8:31 PM
Unknown Object (File)
Nov 14 2024, 3:34 AM
Unknown Object (File)
Oct 31 2024, 7:19 PM
Unknown Object (File)
Oct 6 2024, 4:03 PM
Subscribers
None

Details

Summary

PT_SET_XSTATE assumes that the supplied data always includes a valid
savefpu, but it wasn't checking the data length to ensure that. This was
a bug in my changes to it, not in the original.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

jhb retitled this revision from to Require a valid base FPU state size..
jhb updated this object.
jhb edited the test plan for this revision. (Show Details)
jhb added reviewers: emaste, kib.
kib edited edge metadata.

So the real bug is passing negative length to fpusetregs.

This revision is now accepted and ready to land.Feb 16 2015, 9:21 PM
emaste edited edge metadata.

The negative length is one problem, but we would also be passing random kernel memory into the FPU state that could then be fetched via a PT_GETXSTATE. That is, if you passed a size of 1 then we would malloc(1), but store first 512 bytes into the fxsave state that could then later be retrieved (if the negative length didn't result in a panic).

jhb updated this revision to Diff 3849.

Closed by commit rS278976 (authored by @jhb).