From owner-svn-src-stable@freebsd.org Thu Mar 29 22:31:14 2018 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD729F4F902; Thu, 29 Mar 2018 22:31:14 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7FB1A6804A; Thu, 29 Mar 2018 22:31:14 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7A7222028A; Thu, 29 Mar 2018 22:31:14 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2TMVElS070746; Thu, 29 Mar 2018 22:31:14 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2TMVEA2070745; Thu, 29 Mar 2018 22:31:14 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201803292231.w2TMVEA2070745@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Thu, 29 Mar 2018 22:31:14 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r331749 - stable/10/sys/compat/svr4 X-SVN-Group: stable-10 X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: stable/10/sys/compat/svr4 X-SVN-Commit-Revision: 331749 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2018 22:31:15 -0000 Author: emaste Date: Thu Mar 29 22:31:14 2018 New Revision: 331749 URL: https://svnweb.freebsd.org/changeset/base/331749 Log: MF11 r331330: Fix kernel memory disclosure in svr4_sys_getdents64 svr4_sys_getdents64() copies a dirent structure to userland. When calculating the record length for any given dirent entry alignment is performed. However, the aligned bytes are not cleared, this will trigger an info leak. Reported by: Ilja Van Sprundel Security: Kernel memory disclosure (801) Sponsored by: The FreeBSD Foundation Modified: stable/10/sys/compat/svr4/svr4_misc.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/compat/svr4/svr4_misc.c ============================================================================== --- stable/10/sys/compat/svr4/svr4_misc.c Thu Mar 29 20:39:05 2018 (r331748) +++ stable/10/sys/compat/svr4/svr4_misc.c Thu Mar 29 22:31:14 2018 (r331749) @@ -260,6 +260,7 @@ svr4_sys_getdents64(td, uap) u_long *cookies = NULL, *cookiep; int ncookies; + memset(&svr4_dirent, 0, sizeof(svr4_dirent)); DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n", uap->fd, uap->nbytes)); error = getvnode(td->td_proc->p_fd, uap->fd,