From owner-svn-src-releng@freebsd.org Wed Nov 15 22:39:42 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3FF6DE949E; Wed, 15 Nov 2017 22:39:42 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 960DC7EEB0; Wed, 15 Nov 2017 22:39:42 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMdf4R006190; Wed, 15 Nov 2017 22:39:41 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMdfXM006189; Wed, 15 Nov 2017 22:39:41 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152239.vAFMdfXM006189@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:39:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325868 - releng/11.1/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/11.1/sys/kern X-SVN-Commit-Revision: 325868 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:39:42 -0000 Author: gordon Date: Wed Nov 15 22:39:41 2017 New Revision: 325868 URL: https://svnweb.freebsd.org/changeset/base/325868 Log: Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08] Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086 Modified: releng/11.1/sys/kern/sys_process.c Modified: releng/11.1/sys/kern/sys_process.c ============================================================================== --- releng/11.1/sys/kern/sys_process.c Wed Nov 15 22:35:16 2017 (r325867) +++ releng/11.1/sys/kern/sys_process.c Wed Nov 15 22:39:41 2017 (r325868) @@ -518,6 +518,7 @@ ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, struct ptrace_lwpinfo32 *pl32) { + bzero(pl32, sizeof(*pl32)); pl32->pl_lwpid = pl->pl_lwpid; pl32->pl_event = pl->pl_event; pl32->pl_flags = pl->pl_flags; @@ -1301,6 +1302,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi } else #endif pl = addr; + bzero(pl, sizeof(*pl)); pl->pl_lwpid = td2->td_tid; pl->pl_event = PL_EVENT_NONE; pl->pl_flags = 0; @@ -1321,8 +1323,6 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi pl->pl_siginfo = td2->td_dbgksi.ksi_info; } } - if ((pl->pl_flags & PL_FLAG_SI) == 0) - bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); if (td2->td_dbgflags & TDB_SCE) pl->pl_flags |= PL_FLAG_SCE; else if (td2->td_dbgflags & TDB_SCX)