svn commit: r331670 - stable/11/sys/i386/ibcs2
Ed Maste
emaste at FreeBSD.org
Wed Mar 28 13:41:44 UTC 2018
Author: emaste
Date: Wed Mar 28 13:41:43 2018
New Revision: 331670
URL: https://svnweb.freebsd.org/changeset/base/331670
Log:
MFC r331329: Fix kernel memory disclosure in ibcs2_getdents
ibcs2_getdents() copies a dirent structure to userland. The ibcs2
dirent structure contains a 2 byte pad element. This element is never
initialized, but copied to userland none-the-less.
Note that ibcs2 has not built on HEAD since r302095.
Submitted by: Domagoj Stolfa <ds815 at cam.ac.uk>
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Security: Kernel memory disclosure (803)
Sponsored by: The FreeBSD Foundation
Modified:
stable/11/sys/i386/ibcs2/ibcs2_misc.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/i386/ibcs2/ibcs2_misc.c
==============================================================================
--- stable/11/sys/i386/ibcs2/ibcs2_misc.c Wed Mar 28 13:39:20 2018 (r331669)
+++ stable/11/sys/i386/ibcs2/ibcs2_misc.c Wed Mar 28 13:41:43 2018 (r331670)
@@ -330,6 +330,7 @@ ibcs2_getdents(struct thread *td, struct ibcs2_getdent
#define BSD_DIRENT(cp) ((struct dirent *)(cp))
#define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short))
+ memset(&idb, 0, sizeof(idb));
error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
if (error != 0)
return (error);
More information about the svn-src-stable-11
mailing list