Date: Thu, 5 Apr 2018 12:54:10 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r332064 - stable/10/sys/compat/linux Message-ID: <201804051254.w35CsAwh076429@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Thu Apr 5 12:54:10 2018 New Revision: 332064 URL: https://svnweb.freebsd.org/changeset/base/332064 Log: MFC r332042: Fix kernel memory disclosure in linux_ioctl_socket strlcpy is used to copy a string into a buffer to be copied to userland, previously leaving uninitialized data after the terminating NUL. Zero the buffer first to avoid a kernel memory disclosure. admbugs: 765, 811 Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Reported by: Vlad Tsyrklevich Sponsored by: The FreeBSD Foundation Modified: stable/10/sys/compat/linux/linux_ioctl.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/compat/linux/linux_ioctl.c ============================================================================== --- stable/10/sys/compat/linux/linux_ioctl.c Thu Apr 5 12:50:47 2018 (r332063) +++ stable/10/sys/compat/linux/linux_ioctl.c Thu Apr 5 12:54:10 2018 (r332064) @@ -2427,6 +2427,7 @@ linux_ioctl_socket(struct thread *td, struct linux_ioc printf("%s(): ioctl %d on %.*s\n", __func__, args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname); #endif + memset(ifname, 0, sizeof(ifname)); ifp = ifname_linux_to_bsd(td, lifname, ifname); if (ifp == NULL) return (EINVAL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804051254.w35CsAwh076429>