Correctly validate inputs to the i386_get_ldt syscall.

Security: FreeBSD-SA-05:07.ldt
Approved by: so (cperciva)

3 files changed, 8 insertions, 6 deletions

diff --git a/UPDATING b/UPDATING
index 448fb7ed7e67..bb2a9a9ddf91 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,9 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.  Important recent entries: 20040724 (default X changes).
 
+20050506:	p12	FreeBSD-SA-05:07.ldt
+	Correctly validate inputs to the i386_get_ldt syscall.
+
 20050506:	p11	FreeBSD-SA-05:06.iir
 	Correct overly liberal permissions on /dev/iir.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index e9151b1767e2..c5712880d515 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="5.3"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 
diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
index 57bb98217d62..1227a9a3c916 100644
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@@ -382,10 +382,6 @@ i386_get_ldt(td, args)
 	    uap->start, uap->num, (void *)uap->descs);
 #endif
 
-	/* verify range of LDTs exist */
-	if ((uap->start < 0) || (uap->num <= 0))
-		return(EINVAL);
-
 	if (pldt) {
 		nldt = pldt->ldt_len;
 		num = min(uap->num, nldt);
@@ -395,7 +391,10 @@ i386_get_ldt(td, args)
 		num = min(uap->num, nldt);
 		lp = &ldt[uap->start];
 	}
-	if (uap->start + num > nldt)
+
+	if ((uap->start > (unsigned int)nldt) ||
+	    ((unsigned int)num > (unsigned int)nldt) ||
+	    ((unsigned int)(uap->start + num) > (unsigned int)nldt))
 		return(EINVAL);
 
 	error = copyout(lp, uap->descs, num * sizeof(union descriptor));