Skip to content

Commit

Permalink
Make sure we do not increase the escape sequence argument count beyon…
Browse files Browse the repository at this point in the history 
…d usable

bounds, in case escape sequences end up with too many semicolons.
Without this, the kernel could be made to access random memory after receiving
some specially crafted DCS or CSI terminal escape sequences.

Reported by David Leadbeater (dgl, dgl dot cx)
  • Loading branch information
miod committed Jul 24, 2023
1 parent a267e19 commit 9d3f688
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 22 deletions.
11 changes: 6 additions & 5 deletions sys/dev/wscons/wsemul_sun.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $OpenBSD: wsemul_sun.c,v 1.36 2023/03/06 20:34:35 miod Exp $ */
/* $OpenBSD: wsemul_sun.c,v 1.37 2023/07/24 17:03:32 miod Exp $ */
/* $NetBSD: wsemul_sun.c,v 1.11 2000/01/05 11:19:36 drochner Exp $ */

/*
Expand Down Expand Up @@ -617,13 +617,14 @@ wsemul_sun_output_control(struct wsemul_sun_emuldata *edp,
break;

case ';': /* argument terminator */
edp->nargs++;
if (edp->nargs < SUN_EMUL_NARGS)
edp->nargs++;
break;

default: /* end of escape sequence */
oargs = edp->nargs++;
if (edp->nargs > SUN_EMUL_NARGS)
edp->nargs = SUN_EMUL_NARGS;
oargs = edp->nargs;
if (edp->nargs < SUN_EMUL_NARGS)
edp->nargs++;
rc = wsemul_sun_control(edp, instate);
if (rc != 0) {
/* undo nargs progress */
Expand Down
27 changes: 10 additions & 17 deletions sys/dev/wscons/wsemul_vt100.c
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/* $OpenBSD: wsemul_vt100.c,v 1.45 2023/03/06 20:34:35 miod Exp $ */
/* $OpenBSD: wsemul_vt100.c,v 1.46 2023/07/24 17:03:32 miod Exp $ */
/* $NetBSD: wsemul_vt100.c,v 1.13 2000/04/28 21:56:16 mycroft Exp $ */

/*
Expand Down Expand Up @@ -868,16 +868,12 @@ wsemul_vt100_output_dcs(struct wsemul_vt100_emuldata *edp,
(instate->inchar - '0');
break;
case ';': /* argument terminator */
edp->nargs++;
if (edp->nargs < VT100_EMUL_NARGS)
edp->nargs++;
break;
default:
edp->nargs++;
if (edp->nargs > VT100_EMUL_NARGS) {
#ifdef VT100_DEBUG
printf("vt100: too many arguments\n");
#endif
edp->nargs = VT100_EMUL_NARGS;
}
if (edp->nargs < VT100_EMUL_NARGS)
edp->nargs++;
newstate = VT100_EMUL_STATE_STRING;
switch (instate->inchar) {
case '$':
Expand Down Expand Up @@ -1069,7 +1065,8 @@ wsemul_vt100_output_csi(struct wsemul_vt100_emuldata *edp,
(instate->inchar - '0');
break;
case ';': /* argument terminator */
edp->nargs++;
if (edp->nargs < VT100_EMUL_NARGS)
edp->nargs++;
break;
case '?': /* DEC specific */
case '>': /* DA query */
Expand All @@ -1082,13 +1079,9 @@ wsemul_vt100_output_csi(struct wsemul_vt100_emuldata *edp,
edp->modif2 = (char)instate->inchar;
break;
default: /* end of escape sequence */
oargs = edp->nargs++;
if (edp->nargs > VT100_EMUL_NARGS) {
#ifdef VT100_DEBUG
printf("vt100: too many arguments\n");
#endif
edp->nargs = VT100_EMUL_NARGS;
}
oargs = edp->nargs;
if (edp->nargs < VT100_EMUL_NARGS)
edp->nargs++;
rc = wsemul_vt100_handle_csi(edp, instate);
if (rc != 0) {
edp->nargs = oargs;
Expand Down

0 comments on commit 9d3f688

Please sign in to comment.