hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-23 21:11:09 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Reject negative ngrp arguments in linux_setgroups() and linux_setgroups16();

Browse Source 
stops users being able to cause setgroups to clobber the kernel stack by
copying in data past the end of the linux_gidset array.
This commit is contained in:
Tim J. Robbins 2003-10-21 11:00:33 +00:00
parent c3093074c4
commit 1d2d5501f9
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=121302
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/compat/linux/linux_misc.c
View File

@ -989,7 +989,7 @@ linux_setgroups(struct thread *td, struct linux_setgroups_args *args)
struct proc *p;
ngrp = args->gidsetsize;
if (ngrp >= NGROUPS)
if (ngrp < 0 || ngrp >= NGROUPS)
return (EINVAL);
error = copyin(args->grouplist, linux_gidset, ngrp * sizeof(l_gid_t));
if (error)

2
sys/compat/linux/linux_uid16.c
View File

@ -100,7 +100,7 @@ linux_setgroups16(struct thread *td, struct linux_setgroups16_args *args)
#endif
ngrp = args->gidsetsize;
if (ngrp >= NGROUPS)
if (ngrp < 0 || ngrp >= NGROUPS)
return (EINVAL);
error = copyin(args->gidset, linux_gidset, ngrp * sizeof(l_gid16_t));
if (error)