From 4165c9af7926e950c71687bcde53399020994d50 Mon Sep 17 00:00:00 2001
From: glebius <glebius@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Tue, 25 Oct 2016 17:16:08 +0000
Subject: [PATCH] Merge r307936:   The argument validation in r296956 was not
 enough to close all possible   overflows in sysarch(2).

  Submitted by: Kun Yang <kun.yang chaitin.com>
  Patch by:     kib
  Security:     SA-16:15


git-svn-id: svn://svn.freebsd.org/base/stable/10@307940 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sys/amd64/amd64/sys_machdep.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c
index 77abfe8d8..fb984f5b3 100644
--- a/sys/amd64/amd64/sys_machdep.c
+++ b/sys/amd64/amd64/sys_machdep.c
@@ -619,6 +619,8 @@ amd64_set_ldt(td, uap, descs)
 		largest_ld = uap->start + uap->num;
 		if (largest_ld > max_ldt_segment)
 			largest_ld = max_ldt_segment;
+		if (largest_ld < uap->start)
+			return (EINVAL);
 		i = largest_ld - uap->start;
 		mtx_lock(&dt_lock);
 		bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
@@ -631,7 +633,8 @@ amd64_set_ldt(td, uap, descs)
 		/* verify range of descriptors to modify */
 		largest_ld = uap->start + uap->num;
 		if (uap->start >= max_ldt_segment ||
-		    largest_ld > max_ldt_segment)
+		    largest_ld > max_ldt_segment ||
+		    largest_ld < uap->start)
 			return (EINVAL);
 	}
 
-- 
2.45.0