diff options
author | Philip Guenther <guenther@cvs.openbsd.org> | 2017-09-27 05:43:56 +0000 |
---|---|---|
committer | Philip Guenther <guenther@cvs.openbsd.org> | 2017-09-27 05:43:56 +0000 |
commit | 934b4bf1a5ae32ca2be1865b986151d1fc51cf65 (patch) | |
tree | 1165834e2b0c3d7a1c1804c968697e0edaf06755 /sys/kern | |
parent | b92e0e66c9af0cd29e7c90698f3dd2e0ab6af7d3 (diff) |
amd64 needs FS.base values (the TCB pointer) to be validated, as noncanonical
addresses will cause a fault on load by the kernel.
Problem observed by Maxime Villard
ok kettenis@ deraadt@
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_fork.c | 4 | ||||
-rw-r--r-- | sys/kern/kern_prot.c | 7 |
2 files changed, 8 insertions, 3 deletions
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index f233d94bd7a..71a4c78fc4a 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_fork.c,v 1.198 2017/08/29 02:51:27 deraadt Exp $ */ +/* $OpenBSD: kern_fork.c,v 1.199 2017/09/27 05:43:55 guenther Exp $ */ /* $NetBSD: kern_fork.c,v 1.29 1996/02/09 18:59:34 christos Exp $ */ /* @@ -128,6 +128,8 @@ sys___tfork(struct proc *p, void *v, register_t *retval) if (KTRPOINT(p, KTR_STRUCT)) ktrstruct(p, "tfork", ¶m, sizeof(param)); #endif + if (TCB_INVALID(param.tf_tcb)) + return EINVAL; return thread_fork(p, param.tf_stack, param.tf_tcb, param.tf_tid, retval); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index d3bd45a185c..27061d1e4e6 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_prot.c,v 1.69 2017/04/13 04:06:46 guenther Exp $ */ +/* $OpenBSD: kern_prot.c,v 1.70 2017/09/27 05:43:55 guenther Exp $ */ /* $NetBSD: kern_prot.c,v 1.33 1996/02/09 18:59:42 christos Exp $ */ /* @@ -1073,8 +1073,11 @@ sys___set_tcb(struct proc *p, void *v, register_t *retval) struct sys___set_tcb_args /* { syscallarg(void *) tcb; } */ *uap = v; + void *tcb = SCARG(uap, tcb); - TCB_SET(p, SCARG(uap, tcb)); + if (TCB_INVALID(tcb)) + return EINVAL; + TCB_SET(p, tcb); return (0); } |