Date: Wed, 21 Mar 2018 23:45:48 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r331330 - stable/11/sys/compat/svr4 Message-ID: <201803212345.w2LNjmTf070955@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Wed Mar 21 23:45:48 2018 New Revision: 331330 URL: https://svnweb.freebsd.org/changeset/base/331330 Log: Fix kernel memory disclosure in svr4_sys_getdents64 svr4_sys_getdents64() copies a dirent structure to userland. When calculating the record length for any given dirent entry alignment is performed. However, the aligned bytes are not cleared, this will trigger an info leak. Direct commit to stable/11; this code does not exist in HEAD. This change to be merged from stable/11 to stable/10. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 3 days Security: Kernel memory disclosure (797) Sponsored by: The FreeBSD Foundation Modified: stable/11/sys/compat/svr4/svr4_misc.c Modified: stable/11/sys/compat/svr4/svr4_misc.c ============================================================================== --- stable/11/sys/compat/svr4/svr4_misc.c Wed Mar 21 23:26:42 2018 (r331329) +++ stable/11/sys/compat/svr4/svr4_misc.c Wed Mar 21 23:45:48 2018 (r331330) @@ -259,6 +259,7 @@ svr4_sys_getdents64(td, uap) u_long *cookies = NULL, *cookiep; int ncookies; + memset(&svr4_dirent, 0, sizeof(svr4_dirent)); DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n", uap->fd, uap->nbytes)); error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803212345.w2LNjmTf070955>