svn commit: r359021 - stable/12/sys/kern

Bjoern A. Zeeb bz at FreeBSD.org
Mon Mar 16 21:12:47 UTC 2020 

Author: bz
Date: Mon Mar 16 21:12:46 2020
New Revision: 359021
URL: https://svnweb.freebsd.org/changeset/base/359021

Log:
  MFC r358992:
  
    kern_jail: missing \0 termination check on osrelease parameter
  
    If a user spplies a non-\0 terminated osrelease parameter reading it back
    may disclose kernel memory.
    This is a problem in case of nested jails (children.max > 0, which is not
    the default).  Otherwise root outside the jail has access to kernel memory
    by other means and root inside a jail cannot create a child jail.
  
    Add the proper \0 check at the end of a supplied osrelease parameter and
    make sure any copies of the field will be \0-terminated.
  
    Submitted by:	Hans Christian Woithe (chwoithe yahoo.com)

Modified:
  stable/12/sys/kern/kern_jail.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/kern/kern_jail.c
==============================================================================
--- stable/12/sys/kern/kern_jail.c	Mon Mar 16 21:12:32 2020	(r359020)
+++ stable/12/sys/kern/kern_jail.c	Mon Mar 16 21:12:46 2020	(r359021)
@@ -862,8 +862,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 			    "osrelease cannot be changed after creation");
 			goto done_errmsg;
 		}
-		if (len == 0 || len >= OSRELEASELEN) {
+		if (len == 0 || osrelstr[len - 1] != '\0') {
 			error = EINVAL;
+			goto done_free;
+		}
+		if (len >= OSRELEASELEN) {
+			error = ENAMETOOLONG;
 			vfs_opterror(opts,
 			    "osrelease string must be 1-%d bytes long",
 			    OSRELEASELEN - 1);
@@ -1253,9 +1257,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 
 		pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
 		if (osrelstr == NULL)
-		    strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+			strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+			    sizeof(pr->pr_osrelease));
 		else
-		    strcpy(pr->pr_osrelease, osrelstr);
+			strlcpy(pr->pr_osrelease, osrelstr,
+			    sizeof(pr->pr_osrelease));
 
 		LIST_INIT(&pr->pr_children);
 		mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);

More information about the svn-src-all mailing list