diff options
author | anton <anton@cvs.openbsd.org> | 2019-02-20 07:00:32 +0000 |
---|---|---|
committer | anton <anton@cvs.openbsd.org> | 2019-02-20 07:00:32 +0000 |
commit | b94319688470412586c63afc0387ef961a345b56 (patch) | |
tree | 99542c70398c0240c4a2b98a1471d19ddb9c6925 /sys | |
parent | 1387d0fd8059fdd57500a23ee0b3d588eae6d3f8 (diff) |
Reject negative input from userland in spkrioctl(). One of the arguments
are later passed to timeout_add() which panics if the given ticks are
negative. While here, clamp arguments in pcppi_bell() in order to
prevent overflow.
ok visa@
Reported-by: syzbot+23089c40a85aa70bed6f@syzkaller.appspotmail.com
Diffstat (limited to 'sys')
-rw-r--r-- | sys/dev/isa/pcppi.c | 12 | ||||
-rw-r--r-- | sys/dev/isa/spkr.c | 6 |
2 files changed, 16 insertions, 2 deletions
diff --git a/sys/dev/isa/pcppi.c b/sys/dev/isa/pcppi.c index 16e2f2cf0cf..46faf991290 100644 --- a/sys/dev/isa/pcppi.c +++ b/sys/dev/isa/pcppi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcppi.c,v 1.13 2016/01/08 15:54:13 jcs Exp $ */ +/* $OpenBSD: pcppi.c,v 1.14 2019/02/20 07:00:31 anton Exp $ */ /* $NetBSD: pcppi.c,v 1.1 1998/04/15 20:26:18 drochner Exp $ */ /* @@ -192,6 +192,16 @@ pcppi_bell(self, pitch, period, slp) struct pcppi_softc *sc = self; int s1, s2; + if (pitch < 0) + pitch = 0; + else if (pitch > INT_MAX - TIMER_FREQ) + pitch = INT_MAX - TIMER_FREQ; + + if (period < 0) + period = 0; + else if (period > INT_MAX / 1000000) + period = INT_MAX / 1000000; + s1 = spltty(); /* ??? */ if (sc->sc_bellactive) { if (sc->sc_timeout) { diff --git a/sys/dev/isa/spkr.c b/sys/dev/isa/spkr.c index 07311cb522b..87ef349b9bb 100644 --- a/sys/dev/isa/spkr.c +++ b/sys/dev/isa/spkr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spkr.c,v 1.22 2017/12/30 23:08:29 guenther Exp $ */ +/* $OpenBSD: spkr.c,v 1.23 2019/02/20 07:00:31 anton Exp $ */ /* $NetBSD: spkr.c,v 1.1 1998/04/15 20:26:18 drochner Exp $ */ /* @@ -483,6 +483,8 @@ spkrioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p) case SPKRTONE: tp = (tone_t *)data; + if (tp->duration < 0 || tp->frequency < 0) + return (EINVAL); if (tp->frequency == 0) rest(tp->duration); else @@ -495,6 +497,8 @@ spkrioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p) error = copyin(tp, &ttp, sizeof(tone_t)); if (error) return (error); + if (ttp.duration < 0 || ttp.frequency < 0) + return (EINVAL); if (ttp.duration == 0) break; if (ttp.frequency == 0) |