summaryrefslogtreecommitdiff
path: root/sys/kern/kern_event.c
diff options
context:
space:
mode:
authorTed Unangst <tedu@cvs.openbsd.org>2016-07-14 02:35:18 +0000
committerTed Unangst <tedu@cvs.openbsd.org>2016-07-14 02:35:18 +0000
commit0eddf8af63a8d41a203d8a58ae5e3199dca74070 (patch)
treeb701ada82ccc610d8c1c468570cd0664881b439d /sys/kern/kern_event.c
parent4d1b0712ffd0822c601fc4f182f7c2a7e9109f0a (diff)
kevent validates that ident is a valid fd by getting the file. one sad
quirk: uint64 to int32 truncation can lead to false positives, and then later in the array sizing code, very big mallocs panic the kernel. add a check that the ident isn't larger than INT_MAX in the fd case. reported by Tim Newsham
Diffstat (limited to 'sys/kern/kern_event.c')
-rw-r--r--sys/kern/kern_event.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/kern/kern_event.c b/sys/kern/kern_event.c
index 846e29f182b..3010c198b37 100644
--- a/sys/kern/kern_event.c
+++ b/sys/kern/kern_event.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_event.c,v 1.72 2016/05/13 19:05:07 tedu Exp $ */
+/* $OpenBSD: kern_event.c,v 1.73 2016/07/14 02:35:17 tedu Exp $ */
/*-
* Copyright (c) 1999,2000,2001 Jonathan Lemon <jlemon@FreeBSD.org>
@@ -572,6 +572,8 @@ kqueue_register(struct kqueue *kq, struct kevent *kev, struct proc *p)
if (fops->f_isfd) {
/* validate descriptor */
+ if (kev->ident > INT_MAX)
+ return (EBADF);
if ((fp = fd_getfile(fdp, kev->ident)) == NULL)
return (EBADF);
FREF(fp);
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-13 08:25:03 +0000