svn commit: r331330 - stable/11/sys/compat/svr4
Ed Maste
emaste at FreeBSD.org
Wed Mar 21 23:45:49 UTC 2018
Author: emaste
Date: Wed Mar 21 23:45:48 2018
New Revision: 331330
URL: https://svnweb.freebsd.org/changeset/base/331330
Log:
Fix kernel memory disclosure in svr4_sys_getdents64
svr4_sys_getdents64() copies a dirent structure to userland. When
calculating the record length for any given dirent entry alignment is
performed. However, the aligned bytes are not cleared, this will
trigger an info leak.
Direct commit to stable/11; this code does not exist in HEAD. This
change to be merged from stable/11 to stable/10.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
MFC after: 3 days
Security: Kernel memory disclosure (797)
Sponsored by: The FreeBSD Foundation
Modified:
stable/11/sys/compat/svr4/svr4_misc.c
Modified: stable/11/sys/compat/svr4/svr4_misc.c
==============================================================================
--- stable/11/sys/compat/svr4/svr4_misc.c Wed Mar 21 23:26:42 2018 (r331329)
+++ stable/11/sys/compat/svr4/svr4_misc.c Wed Mar 21 23:45:48 2018 (r331330)
@@ -259,6 +259,7 @@ svr4_sys_getdents64(td, uap)
u_long *cookies = NULL, *cookiep;
int ncookies;
+ memset(&svr4_dirent, 0, sizeof(svr4_dirent));
DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
uap->fd, uap->nbytes));
error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
More information about the svn-src-stable-11
mailing list