summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authoranton <anton@cvs.openbsd.org>2019-02-20 07:00:32 +0000
committeranton <anton@cvs.openbsd.org>2019-02-20 07:00:32 +0000
commitb94319688470412586c63afc0387ef961a345b56 (patch)
tree99542c70398c0240c4a2b98a1471d19ddb9c6925 /sys
parent1387d0fd8059fdd57500a23ee0b3d588eae6d3f8 (diff)
Reject negative input from userland in spkrioctl(). One of the arguments
are later passed to timeout_add() which panics if the given ticks are negative. While here, clamp arguments in pcppi_bell() in order to prevent overflow. ok visa@ Reported-by: syzbot+23089c40a85aa70bed6f@syzkaller.appspotmail.com
Diffstat (limited to 'sys')
-rw-r--r--sys/dev/isa/pcppi.c12
-rw-r--r--sys/dev/isa/spkr.c6
2 files changed, 16 insertions, 2 deletions
diff --git a/sys/dev/isa/pcppi.c b/sys/dev/isa/pcppi.c
index 16e2f2cf0cf..46faf991290 100644
--- a/sys/dev/isa/pcppi.c
+++ b/sys/dev/isa/pcppi.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcppi.c,v 1.13 2016/01/08 15:54:13 jcs Exp $ */
+/* $OpenBSD: pcppi.c,v 1.14 2019/02/20 07:00:31 anton Exp $ */
/* $NetBSD: pcppi.c,v 1.1 1998/04/15 20:26:18 drochner Exp $ */
/*
@@ -192,6 +192,16 @@ pcppi_bell(self, pitch, period, slp)
struct pcppi_softc *sc = self;
int s1, s2;
+ if (pitch < 0)
+ pitch = 0;
+ else if (pitch > INT_MAX - TIMER_FREQ)
+ pitch = INT_MAX - TIMER_FREQ;
+
+ if (period < 0)
+ period = 0;
+ else if (period > INT_MAX / 1000000)
+ period = INT_MAX / 1000000;
+
s1 = spltty(); /* ??? */
if (sc->sc_bellactive) {
if (sc->sc_timeout) {
diff --git a/sys/dev/isa/spkr.c b/sys/dev/isa/spkr.c
index 07311cb522b..87ef349b9bb 100644
--- a/sys/dev/isa/spkr.c
+++ b/sys/dev/isa/spkr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: spkr.c,v 1.22 2017/12/30 23:08:29 guenther Exp $ */
+/* $OpenBSD: spkr.c,v 1.23 2019/02/20 07:00:31 anton Exp $ */
/* $NetBSD: spkr.c,v 1.1 1998/04/15 20:26:18 drochner Exp $ */
/*
@@ -483,6 +483,8 @@ spkrioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
case SPKRTONE:
tp = (tone_t *)data;
+ if (tp->duration < 0 || tp->frequency < 0)
+ return (EINVAL);
if (tp->frequency == 0)
rest(tp->duration);
else
@@ -495,6 +497,8 @@ spkrioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
error = copyin(tp, &ttp, sizeof(tone_t));
if (error)
return (error);
+ if (ttp.duration < 0 || ttp.frequency < 0)
+ return (EINVAL);
if (ttp.duration == 0)
break;
if (ttp.frequency == 0)