svn commit: r359021 - stable/12/sys/kern
Bjoern A. Zeeb
bz at FreeBSD.org
Mon Mar 16 21:12:47 UTC 2020
Author: bz
Date: Mon Mar 16 21:12:46 2020
New Revision: 359021
URL: https://svnweb.freebsd.org/changeset/base/359021
Log:
MFC r358992:
kern_jail: missing \0 termination check on osrelease parameter
If a user spplies a non-\0 terminated osrelease parameter reading it back
may disclose kernel memory.
This is a problem in case of nested jails (children.max > 0, which is not
the default). Otherwise root outside the jail has access to kernel memory
by other means and root inside a jail cannot create a child jail.
Add the proper \0 check at the end of a supplied osrelease parameter and
make sure any copies of the field will be \0-terminated.
Submitted by: Hans Christian Woithe (chwoithe yahoo.com)
Modified:
stable/12/sys/kern/kern_jail.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/kern/kern_jail.c
==============================================================================
--- stable/12/sys/kern/kern_jail.c Mon Mar 16 21:12:32 2020 (r359020)
+++ stable/12/sys/kern/kern_jail.c Mon Mar 16 21:12:46 2020 (r359021)
@@ -862,8 +862,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
"osrelease cannot be changed after creation");
goto done_errmsg;
}
- if (len == 0 || len >= OSRELEASELEN) {
+ if (len == 0 || osrelstr[len - 1] != '\0') {
error = EINVAL;
+ goto done_free;
+ }
+ if (len >= OSRELEASELEN) {
+ error = ENAMETOOLONG;
vfs_opterror(opts,
"osrelease string must be 1-%d bytes long",
OSRELEASELEN - 1);
@@ -1253,9 +1257,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
if (osrelstr == NULL)
- strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+ strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+ sizeof(pr->pr_osrelease));
else
- strcpy(pr->pr_osrelease, osrelstr);
+ strlcpy(pr->pr_osrelease, osrelstr,
+ sizeof(pr->pr_osrelease));
LIST_INIT(&pr->pr_children);
mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);
More information about the svn-src-all
mailing list