Sat Oct 12 12:04:37 2019 UTC ()
Avoid signed integer overflow for -lwp where lwp is INT_MIN

Reported-by: syzbot+68b80b44b898e66da3fc@syzkaller.appspotmail.com


(kamil)
diff -r1.66 -r1.67 src/sys/kern/sys_ptrace_common.c
cvs diff -r1.66 -r1.67 src/sys/kern/sys_ptrace_common.c (expand / switch to unified diff)

--- src/sys/kern/sys_ptrace_common.c 2019/10/09 13:19:43 1.66
+++ src/sys/kern/sys_ptrace_common.c 2019/10/12 12:04:37 1.67
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: sys_ptrace_common.c,v 1.66 2019/10/09 13:19:43 kamil Exp $ */ 1/* $NetBSD: sys_ptrace_common.c,v 1.67 2019/10/12 12:04:37 kamil Exp $ */
2 2
3/*- 3/*-
4 * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. 4 * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This code is derived from software contributed to The NetBSD Foundation 7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Andrew Doran. 8 * by Andrew Doran.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions 11 * modification, are permitted provided that the following conditions
12 * are met: 12 * are met:
13 * 1. Redistributions of source code must retain the above copyright 13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer. 14 * notice, this list of conditions and the following disclaimer.
@@ -108,27 +108,27 @@ @@ -108,27 +108,27 @@
108 108
109/* 109/*
110 * References: 110 * References:
111 * (1) Bach's "The Design of the UNIX Operating System", 111 * (1) Bach's "The Design of the UNIX Operating System",
112 * (2) sys/miscfs/procfs from UCB's 4.4BSD-Lite distribution, 112 * (2) sys/miscfs/procfs from UCB's 4.4BSD-Lite distribution,
113 * (3) the "4.4BSD Programmer's Reference Manual" published 113 * (3) the "4.4BSD Programmer's Reference Manual" published
114 * by USENIX and O'Reilly & Associates. 114 * by USENIX and O'Reilly & Associates.
115 * The 4.4BSD PRM does a reasonably good job of documenting what the various 115 * The 4.4BSD PRM does a reasonably good job of documenting what the various
116 * ptrace() requests should actually do, and its text is quoted several times 116 * ptrace() requests should actually do, and its text is quoted several times
117 * in this file. 117 * in this file.
118 */ 118 */
119 119
120#include <sys/cdefs.h> 120#include <sys/cdefs.h>
121__KERNEL_RCSID(0, "$NetBSD: sys_ptrace_common.c,v 1.66 2019/10/09 13:19:43 kamil Exp $"); 121__KERNEL_RCSID(0, "$NetBSD: sys_ptrace_common.c,v 1.67 2019/10/12 12:04:37 kamil Exp $");
122 122
123#ifdef _KERNEL_OPT 123#ifdef _KERNEL_OPT
124#include "opt_ptrace.h" 124#include "opt_ptrace.h"
125#include "opt_ktrace.h" 125#include "opt_ktrace.h"
126#include "opt_pax.h" 126#include "opt_pax.h"
127#include "opt_compat_netbsd32.h" 127#include "opt_compat_netbsd32.h"
128#endif 128#endif
129 129
130#if defined(__HAVE_COMPAT_NETBSD32) && !defined(COMPAT_NETBSD32) \ 130#if defined(__HAVE_COMPAT_NETBSD32) && !defined(COMPAT_NETBSD32) \
131 && !defined(_RUMPKERNEL) 131 && !defined(_RUMPKERNEL)
132#define COMPAT_NETBSD32 132#define COMPAT_NETBSD32
133#endif 133#endif
134 134
@@ -1192,28 +1192,32 @@ do_ptrace(struct ptrace_methods *ptm, st @@ -1192,28 +1192,32 @@ do_ptrace(struct ptrace_methods *ptm, st
1192 * data is the signo to deliver to the process. 1192 * data is the signo to deliver to the process.
1193 */ 1193 */
1194 tmp = data; 1194 tmp = data;
1195 if (tmp >= 0) { 1195 if (tmp >= 0) {
1196#ifdef PT_STEP 1196#ifdef PT_STEP
1197 if (req == PT_STEP) 1197 if (req == PT_STEP)
1198 signo = 0; 1198 signo = 0;
1199 else 1199 else
1200#endif 1200#endif
1201 { 1201 {
1202 signo = tmp; 1202 signo = tmp;
1203 tmp = 0; /* don't search for LWP */ 1203 tmp = 0; /* don't search for LWP */
1204 } 1204 }
1205 } else 1205 } else if (tmp == INT_MIN) {
 1206 error = ESRCH;
 1207 break;
 1208 } else {
1206 tmp = -tmp; 1209 tmp = -tmp;
 1210 }
1207 1211
1208 if (tmp > 0) { 1212 if (tmp > 0) {
1209 if (req == PT_DETACH) { 1213 if (req == PT_DETACH) {
1210 error = EINVAL; 1214 error = EINVAL;
1211 break; 1215 break;
1212 } 1216 }
1213 lwp_delref2 (lt); 1217 lwp_delref2 (lt);
1214 lt = lwp_find(t, tmp); 1218 lt = lwp_find(t, tmp);
1215 if (lt == NULL) { 1219 if (lt == NULL) {
1216 error = ESRCH; 1220 error = ESRCH;
1217 break; 1221 break;
1218 } 1222 }
1219 lwp_addref(lt); 1223 lwp_addref(lt);