summaryrefslogtreecommitdiff
path: root/sys/kern
diff options
context:
space:
mode:
authorPhilip Guenther <guenther@cvs.openbsd.org>2017-09-27 05:43:56 +0000
committerPhilip Guenther <guenther@cvs.openbsd.org>2017-09-27 05:43:56 +0000
commit934b4bf1a5ae32ca2be1865b986151d1fc51cf65 (patch)
tree1165834e2b0c3d7a1c1804c968697e0edaf06755 /sys/kern
parentb92e0e66c9af0cd29e7c90698f3dd2e0ab6af7d3 (diff)
amd64 needs FS.base values (the TCB pointer) to be validated, as noncanonical
addresses will cause a fault on load by the kernel. Problem observed by Maxime Villard ok kettenis@ deraadt@
Diffstat (limited to 'sys/kern')
-rw-r--r--sys/kern/kern_fork.c4
-rw-r--r--sys/kern/kern_prot.c7
2 files changed, 8 insertions, 3 deletions
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index f233d94bd7a..71a4c78fc4a 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_fork.c,v 1.198 2017/08/29 02:51:27 deraadt Exp $ */
+/* $OpenBSD: kern_fork.c,v 1.199 2017/09/27 05:43:55 guenther Exp $ */
/* $NetBSD: kern_fork.c,v 1.29 1996/02/09 18:59:34 christos Exp $ */
/*
@@ -128,6 +128,8 @@ sys___tfork(struct proc *p, void *v, register_t *retval)
if (KTRPOINT(p, KTR_STRUCT))
ktrstruct(p, "tfork", &param, sizeof(param));
#endif
+ if (TCB_INVALID(param.tf_tcb))
+ return EINVAL;
return thread_fork(p, param.tf_stack, param.tf_tcb, param.tf_tid,
retval);
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index d3bd45a185c..27061d1e4e6 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_prot.c,v 1.69 2017/04/13 04:06:46 guenther Exp $ */
+/* $OpenBSD: kern_prot.c,v 1.70 2017/09/27 05:43:55 guenther Exp $ */
/* $NetBSD: kern_prot.c,v 1.33 1996/02/09 18:59:42 christos Exp $ */
/*
@@ -1073,8 +1073,11 @@ sys___set_tcb(struct proc *p, void *v, register_t *retval)
struct sys___set_tcb_args /* {
syscallarg(void *) tcb;
} */ *uap = v;
+ void *tcb = SCARG(uap, tcb);
- TCB_SET(p, SCARG(uap, tcb));
+ if (TCB_INVALID(tcb))
+ return EINVAL;
+ TCB_SET(p, tcb);
return (0);
}