Permalink
Browse files

Limit glyph count in vtfont_load to avoid integer overflow.

Invalid font data passed to PIO_VFONT can result in an integer overflow
in glyphsize.  Characters may then be drawn on the console using glyph
map entries that point beyond the end of allocated glyph memory,
resulting in a kernel memory disclosure.

Submitted by:	emaste
Reported by:	Dr. Silvio Cesare of InfoSect
Security:	CVE-2018-6917
Security:	FreeBSD-SA-18:04.vt
Sponsored by:	The FreeBSD Foundation
  • Loading branch information...
gordon gordon
gordon authored and gordon committed Apr 4, 2018
1 parent 3b8406e commit 44adf367dc37489a9d01a3cb032c316042464e2d
Showing with 3 additions and 1 deletion.
  1. +3 −1 sys/dev/vt/vt_font.c
@@ -44,6 +44,7 @@ static MALLOC_DEFINE(M_VTFONT, "vtfont", "vt font");
/* Some limits to prevent abnormal fonts from being loaded. */
#define VTFONT_MAXMAPPINGS 65536
#define VTFONT_MAXGLYPHS 131072
#define VTFONT_MAXGLYPHSIZE 2097152
#define VTFONT_MAXDIMENSION 128
@@ -173,7 +174,8 @@ vtfont_load(vfnt_t *f, struct vt_font **ret)
/* Make sure the dimensions are valid. */
if (f->width < 1 || f->height < 1)
return (EINVAL);
if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION)
if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION ||
f->glyph_count > VTFONT_MAXGLYPHS)
return (E2BIG);
/* Not too many mappings. */

0 comments on commit 44adf36

Please sign in to comment.