Date: Wed, 28 Nov 2018 15:34:47 +0000 (UTC) From: Eric van Gyzen <vangyzen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r341147 - in stable/12/sys: arm/arm arm64/arm64 riscv/riscv Message-ID: <201811281534.wASFYljp052671@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: vangyzen Date: Wed Nov 28 15:34:46 2018 New Revision: 341147 URL: https://svnweb.freebsd.org/changeset/base/341147 Log: MFC r340995 Prevent kernel stack disclosure in signal delivery On arm64 and riscv platforms, sendsig() failed to zero the signal frame before copying it out to userspace. Zero it. On arm, I believe all the contents of the frame were initialized, so there was no disclosure. However, explicitly zero the whole frame because that fact could inadvertently change in the future, it's more clear to the reader, and I could be wrong in the first place. Security: similar to FreeBSD-EN-18:12.mem and CVE-2018-17155 Sponsored by: Dell EMC Isilon Modified: stable/12/sys/arm/arm/machdep.c stable/12/sys/arm64/arm64/machdep.c stable/12/sys/riscv/riscv/machdep.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/arm/arm/machdep.c ============================================================================== --- stable/12/sys/arm/arm/machdep.c Wed Nov 28 15:31:05 2018 (r341146) +++ stable/12/sys/arm/arm/machdep.c Wed Nov 28 15:34:46 2018 (r341147) @@ -641,6 +641,7 @@ sendsig(catcher, ksi, mask) /* make the stack aligned */ fp = (struct sigframe *)STACKALIGN(fp); /* Populate the siginfo frame. */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); #ifdef VFP get_vfpcontext(td, &frame.sf_vfp); Modified: stable/12/sys/arm64/arm64/machdep.c ============================================================================== --- stable/12/sys/arm64/arm64/machdep.c Wed Nov 28 15:31:05 2018 (r341146) +++ stable/12/sys/arm64/arm64/machdep.c Wed Nov 28 15:34:46 2018 (r341147) @@ -656,6 +656,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask fp = (struct sigframe *)STACKALIGN(fp); /* Fill in the frame to copy out */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); get_fpcontext(td, &frame.sf_uc.uc_mcontext); frame.sf_si = ksi->ksi_info; Modified: stable/12/sys/riscv/riscv/machdep.c ============================================================================== --- stable/12/sys/riscv/riscv/machdep.c Wed Nov 28 15:31:05 2018 (r341146) +++ stable/12/sys/riscv/riscv/machdep.c Wed Nov 28 15:34:46 2018 (r341147) @@ -583,6 +583,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask fp = (struct sigframe *)STACKALIGN(fp); /* Fill in the frame to copy out */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); get_fpcontext(td, &frame.sf_uc.uc_mcontext); frame.sf_si = ksi->ksi_info;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811281534.wASFYljp052671>