MFC r331981:

Limit glyph count in vtfont_load to avoid integer overflow. Invalid font data passed to PIO_VFONT can result in an integer overflow in glyphsize. Characters may then be drawn on the console using glyph map entries that point beyond the end of allocated glyph memory, resulting in a kernel memory disclosure. Submitted by: emaste Reported by: Dr. Silvio Cesare of InfoSect Security: CVE-2018-6917 Security: FreeBSD-SA-18:04.vt Sponsored by: The FreeBSD Foundation
HardenedBSD · Apr 4, 2018 · 5966c5f · 5966c5f
1 parent 3522a21
commit 5966c5f
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/sys/dev/vt/vt_font.c b/sys/dev/vt/vt_font.c
@@ -42,6 +42,7 @@ static MALLOC_DEFINE(M_VTFONT, "vtfont", "vt font");
 
 /* Some limits to prevent abnormal fonts from being loaded. */
 #define	VTFONT_MAXMAPPINGS	65536
+#define	VTFONT_MAXGLYPHS	131072
 #define	VTFONT_MAXGLYPHSIZE	2097152
 #define	VTFONT_MAXDIMENSION	128
 
@@ -171,7 +172,8 @@ vtfont_load(vfnt_t *f, struct vt_font **ret)
 	/* Make sure the dimensions are valid. */
 	if (f->width < 1 || f->height < 1)
 		return (EINVAL);
-	if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION)
+	if (f->width > VTFONT_MAXDIMENSION || f->height > VTFONT_MAXDIMENSION ||
+	    f->glyph_count > VTFONT_MAXGLYPHS)
 		return (E2BIG);
 
 	/* Not too many mappings. */