Differential D4071

The ops EL_SIGNAL, EL_EDITMODE, EL_UNBUFFERED, and EL_PREP_TERM all take an int, not an int*.
ClosedPublic
Actions

Authored by brooks on Nov 2 2015, 9:11 PM.

Details

Reviewers

bapt

Commits

rS290298: The ops EL_SIGNAL, EL_EDITMODE, EL_UNBUFFERED, and EL_PREP_TERM all take

Summary

Sponsored by: DARPA, AFRL
Discovered with: CHERI

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

brooks updated this revision to Diff 9893.Nov 2 2015, 9:11 PM

brooks retitled this revision from to The ops EL_SIGNAL, EL_EDITMODE, EL_UNBUFFERED, and EL_PREP_TERM all take an int, not an int*..

brooks updated this object.

brooks edited the test plan for this revision. (Show Details)

brooks added a reviewer: bapt.

Herald added a subscriber: imp. · View Herald TranscriptNov 2 2015, 9:11 PM

This bug is harmless in practice on current hardware because el_wget() is also a varargs function and va_arg(ap, int *) effectively copies the argument unmodified. On CHERI it causes a hardware trap because varargs are stored in a bounded array an reading 16-32 bytes out of an 8 byte array isn't allowed.

Looks good, but please upstream this change as well.

This revision is now accepted and ready to land.Nov 2 2015, 9:22 PM

Closed by commit rS290298: The ops EL_SIGNAL, EL_EDITMODE, EL_UNBUFFERED, and EL_PREP_TERM all take (authored by brooks). · Explain WhyNov 2 2015, 10:21 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

head/

lib/

libedit/

eln.c

4 lines

Diff 9899

View Options

The ops EL_SIGNAL, EL_EDITMODE, EL_UNBUFFERED, and EL_PREP_TERM all take an int, not an int*.ClosedPublicActions