svn commit: r341166 - in stable/11/sys: arm/arm arm64/arm64 riscv/riscv

Eric van Gyzen vangyzen at FreeBSD.org
Wed Nov 28 21:20:53 UTC 2018 

Author: vangyzen
Date: Wed Nov 28 21:20:51 2018
New Revision: 341166
URL: https://svnweb.freebsd.org/changeset/base/341166

Log:
  MFC r340995
  
  Prevent kernel stack disclosure in signal delivery
  
  On arm64 and riscv platforms, sendsig() failed to zero the signal
  frame before copying it out to userspace.  Zero it.
  
  On arm, I believe all the contents of the frame were initialized,
  so there was no disclosure.  However, explicitly zero the whole frame
  because that fact could inadvertently change in the future,
  it's more clear to the reader, and I could be wrong in the first place.
  
  Security:	similar to FreeBSD-EN-18:12.mem and CVE-2018-17155
  Sponsored by:	Dell EMC Isilon

Modified:
  stable/11/sys/arm/arm/machdep.c
  stable/11/sys/arm64/arm64/machdep.c
  stable/11/sys/riscv/riscv/machdep.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/arm/arm/machdep.c
==============================================================================
--- stable/11/sys/arm/arm/machdep.c	Wed Nov 28 21:19:58 2018	(r341165)
+++ stable/11/sys/arm/arm/machdep.c	Wed Nov 28 21:20:51 2018	(r341166)
@@ -609,6 +609,7 @@ sendsig(catcher, ksi, mask)
 	/* make the stack aligned */
 	fp = (struct sigframe *)STACKALIGN(fp);
 	/* Populate the siginfo frame. */
+	bzero(&frame, sizeof(frame));
 	get_mcontext(td, &frame.sf_uc.uc_mcontext, 0);
 #ifdef VFP
 	get_vfpcontext(td, &frame.sf_vfp);

Modified: stable/11/sys/arm64/arm64/machdep.c
==============================================================================
--- stable/11/sys/arm64/arm64/machdep.c	Wed Nov 28 21:19:58 2018	(r341165)
+++ stable/11/sys/arm64/arm64/machdep.c	Wed Nov 28 21:20:51 2018	(r341166)
@@ -590,6 +590,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask
 	fp = (struct sigframe *)STACKALIGN(fp);
 
 	/* Fill in the frame to copy out */
+	bzero(&frame, sizeof(frame));
 	get_mcontext(td, &frame.sf_uc.uc_mcontext, 0);
 	get_fpcontext(td, &frame.sf_uc.uc_mcontext);
 	frame.sf_si = ksi->ksi_info;

Modified: stable/11/sys/riscv/riscv/machdep.c
==============================================================================
--- stable/11/sys/riscv/riscv/machdep.c	Wed Nov 28 21:19:58 2018	(r341165)
+++ stable/11/sys/riscv/riscv/machdep.c	Wed Nov 28 21:20:51 2018	(r341166)
@@ -522,6 +522,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask
 	fp = (struct sigframe *)STACKALIGN(fp);
 
 	/* Fill in the frame to copy out */
+	bzero(&frame, sizeof(frame));
 	get_mcontext(td, &frame.sf_uc.uc_mcontext, 0);
 	get_fpcontext(td, &frame.sf_uc.uc_mcontext);
 	frame.sf_si = ksi->ksi_info;

More information about the svn-src-stable mailing list