aboutsummaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorDavid Schultz <das@FreeBSD.org>2005-03-23 08:27:59 +0000
committerDavid Schultz <das@FreeBSD.org>2005-03-23 08:27:59 +0000
commitf2c7668eb1581c4fbd5a7d43af0dd363f8b3206e (patch)
tree76ddf2f926b75aca9b54ed0b6d961473f0bd5faf /sys
parent58ce5a270090e5a923cd309eb8c6bb4e462ba29f (diff)
downloadsrc-f2c7668eb1581c4fbd5a7d43af0dd363f8b3206e.tar.gz
src-f2c7668eb1581c4fbd5a7d43af0dd363f8b3206e.zip
Make ps_nargvstr and ps_nenvstr unsigned. This fixes an input
validation error in procfs/linprocfs that can be exploited by local users to cause a kernel panic. All versions of FreeBSD with the patch referenced in SA-04:17.procfs have this bug, but versions without that patch have a more serious bug instead. This problem only affects systems on which procfs or linprocfs is mounted. Found by: Coverity Prevent analysis tool Security: Local DOS
Notes
Notes: svn path=/head/; revision=144011
Diffstat (limited to 'sys')
-rw-r--r--sys/amd64/linux32/linux32_sysvec.c4
-rw-r--r--sys/sys/exec.h4
2 files changed, 4 insertions, 4 deletions
diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32_sysvec.c
index be4c6cce987a..8e0fc950d640 100644
--- a/sys/amd64/linux32/linux32_sysvec.c
+++ b/sys/amd64/linux32/linux32_sysvec.c
@@ -207,9 +207,9 @@ static int _bsd_to_linux_trapcode[] = {
struct linux32_ps_strings {
u_int32_t ps_argvstr; /* first of 0 or more argument strings */
- int ps_nargvstr; /* the number of argument strings */
+ u_int ps_nargvstr; /* the number of argument strings */
u_int32_t ps_envstr; /* first of 0 or more environment strings */
- int ps_nenvstr; /* the number of environment strings */
+ u_int ps_nenvstr; /* the number of environment strings */
};
/*
diff --git a/sys/sys/exec.h b/sys/sys/exec.h
index 07becafe0f25..8c95c36e6874 100644
--- a/sys/sys/exec.h
+++ b/sys/sys/exec.h
@@ -48,9 +48,9 @@
*/
struct ps_strings {
char **ps_argvstr; /* first of 0 or more argument strings */
- int ps_nargvstr; /* the number of argument strings */
+ unsigned int ps_nargvstr; /* the number of argument strings */
char **ps_envstr; /* first of 0 or more environment strings */
- int ps_nenvstr; /* the number of environment strings */
+ unsigned int ps_nenvstr; /* the number of environment strings */
};
/*