CVS commit: src/sys/kern

To: source-changes%NetBSD.org@localhost
Subject: CVS commit: src/sys/kern
From: "Nia Alarie" <nia%netbsd.org@localhost>
Date: Fri, 9 Oct 2020 09:03:55 +0000

Module Name:    src
Committed By:   nia
Date:           Fri Oct  9 09:03:55 UTC 2020

Modified Files:
        src/sys/kern: tty.c

Log Message:
tty: Avoid undefined behaviour (left shift of 1 by 31 places overflows int)

The valid sizes of the tty input and output queues (according to the man page)
are between 1024 and 65536 and input values are converted to a power of two.

The check on the validity of the range is done after the input values are
converted, however, which means that a hostile program can attempt to set
the queue size to a negative value, and cause integer overflow before
the range is validated.

Detected by UBSan

Reported-by: syzbot+521b73969fd233c49e58%syzkaller.appspotmail.com@localhost


To generate a diff of this commit:
cvs rdiff -u -r1.289 -r1.290 src/sys/kern/tty.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: src/external/cddl/osnet/dist/uts/common/fs/zfs
Next by Date: CVS commit: xsrc/external/bsd/font-spleen-misc
Previous by Thread: CVS commit: src/external/cddl/osnet/dist/uts/common/fs/zfs
Next by Thread: CVS commit: xsrc/external/bsd/font-spleen-misc
Indexes:

Home | Main Index | Thread Index | Old Index