From 434ea137cc932f9af59b58a3c0881a6832b70061 Mon Sep 17 00:00:00 2001 From: Gleb Smirnoff Date: Thu, 26 Jan 2012 11:59:48 +0000 Subject: [PATCH] Although aio_nbytes is size_t, later is is signed to casted types: to ssize_t in filesystem code and to int in buf code, thus supplying a negative argument leads to kernel panic later. To fix that check user supplied argument in the beginning of syscall. Submitted by: Maxim Dounin , maxim@ --- sys/kern/vfs_aio.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c index 7af9f552a417..fe682d870d87 100644 --- a/sys/kern/vfs_aio.c +++ b/sys/kern/vfs_aio.c @@ -1552,6 +1552,12 @@ aio_aqueue(struct thread *td, struct aiocb *job, struct aioliojob *lj, return (error); } + /* XXX: aio_nbytes is later casted to signed types. */ + if ((int)aiocbe->uaiocb.aio_nbytes < 0) { + uma_zfree(aiocb_zone, aiocbe); + return (EINVAL); + } + if (aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_KEVENT && aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_SIGNAL && aiocbe->uaiocb.aio_sigevent.sigev_notify != SIGEV_THREAD_ID &&