svn commit: r331749 - stable/10/sys/compat/svr4
Ed Maste
emaste at FreeBSD.org
Thu Mar 29 22:31:15 UTC 2018
Author: emaste
Date: Thu Mar 29 22:31:14 2018
New Revision: 331749
URL: https://svnweb.freebsd.org/changeset/base/331749
Log:
MF11 r331330: Fix kernel memory disclosure in svr4_sys_getdents64
svr4_sys_getdents64() copies a dirent structure to userland. When
calculating the record length for any given dirent entry alignment is
performed. However, the aligned bytes are not cleared, this will
trigger an info leak.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Security: Kernel memory disclosure (801)
Sponsored by: The FreeBSD Foundation
Modified:
stable/10/sys/compat/svr4/svr4_misc.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/compat/svr4/svr4_misc.c
==============================================================================
--- stable/10/sys/compat/svr4/svr4_misc.c Thu Mar 29 20:39:05 2018 (r331748)
+++ stable/10/sys/compat/svr4/svr4_misc.c Thu Mar 29 22:31:14 2018 (r331749)
@@ -260,6 +260,7 @@ svr4_sys_getdents64(td, uap)
u_long *cookies = NULL, *cookiep;
int ncookies;
+ memset(&svr4_dirent, 0, sizeof(svr4_dirent));
DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
uap->fd, uap->nbytes));
error = getvnode(td->td_proc->p_fd, uap->fd,
More information about the svn-src-stable-10
mailing list