Require a valid base FPU state size.
ClosedPublic
Actions

Authored by jhb on Feb 16 2015, 8:54 PM.

Details

Reviewers

kib
emaste

Commits

rS278976: Ensure that the supplied data length is large enough to hold the base

Summary

PT_SET_XSTATE assumes that the supplied data always includes a valid
savefpu, but it wasn't checking the data length to ensure that. This was
a bug in my changes to it, not in the original.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

jhb updated this revision to Diff 3800.Feb 16 2015, 8:54 PM

jhb retitled this revision from to Require a valid base FPU state size..

jhb updated this object.

jhb edited the test plan for this revision. (Show Details)

jhb added reviewers: emaste, kib.

So the real bug is passing negative length to fpusetregs.

This revision is now accepted and ready to land.Feb 16 2015, 9:21 PM

emaste accepted this revision.Feb 16 2015, 10:07 PM

emaste edited edge metadata.

The negative length is one problem, but we would also be passing random kernel memory into the FPU state that could then be fetched via a PT_GETXSTATE. That is, if you passed a size of 1 then we would malloc(1), but store first 512 bytes into the fxsave state that could then later be retrieved (if the negative length didn't result in a panic).