From owner-svn-src-all@freebsd.org Wed Nov 28 16:58:37 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B04011362DE; Wed, 28 Nov 2018 16:58:37 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D33E87CD78; Wed, 28 Nov 2018 16:58:36 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9BCD75335; Wed, 28 Nov 2018 16:58:36 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wASGwahh094400; Wed, 28 Nov 2018 16:58:36 GMT (envelope-from vangyzen@FreeBSD.org) Received: (from vangyzen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wASGwaT7094398; Wed, 28 Nov 2018 16:58:36 GMT (envelope-from vangyzen@FreeBSD.org) Message-Id: <201811281658.wASGwaT7094398@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: vangyzen set sender to vangyzen@FreeBSD.org using -f From: Eric van Gyzen Date: Wed, 28 Nov 2018 16:58:36 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r341153 - in releng/12.0/sys: arm/arm arm64/arm64 riscv/riscv X-SVN-Group: releng X-SVN-Commit-Author: vangyzen X-SVN-Commit-Paths: in releng/12.0/sys: arm/arm arm64/arm64 riscv/riscv X-SVN-Commit-Revision: 341153 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: D33E87CD78 X-Spamd-Result: default: False [1.38 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_SPAM_LONG(0.51)[0.511,0]; NEURAL_SPAM_MEDIUM(0.31)[0.308,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_SPAM_SHORT(0.57)[0.565,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2018 16:58:37 -0000 Author: vangyzen Date: Wed Nov 28 16:58:35 2018 New Revision: 341153 URL: https://svnweb.freebsd.org/changeset/base/341153 Log: MFS r341147 MFC r340995 Prevent kernel stack disclosure in signal delivery On arm64 and riscv platforms, sendsig() failed to zero the signal frame before copying it out to userspace. Zero it. On arm, I believe all the contents of the frame were initialized, so there was no disclosure. However, explicitly zero the whole frame because that fact could inadvertently change in the future, it's more clear to the reader, and I could be wrong in the first place. Approved by: re (gjb) Security: similar to FreeBSD-EN-18:12.mem and CVE-2018-17155 Sponsored by: Dell EMC Isilon Modified: releng/12.0/sys/arm/arm/machdep.c releng/12.0/sys/arm64/arm64/machdep.c releng/12.0/sys/riscv/riscv/machdep.c Directory Properties: releng/12.0/ (props changed) Modified: releng/12.0/sys/arm/arm/machdep.c ============================================================================== --- releng/12.0/sys/arm/arm/machdep.c Wed Nov 28 16:52:41 2018 (r341152) +++ releng/12.0/sys/arm/arm/machdep.c Wed Nov 28 16:58:35 2018 (r341153) @@ -641,6 +641,7 @@ sendsig(catcher, ksi, mask) /* make the stack aligned */ fp = (struct sigframe *)STACKALIGN(fp); /* Populate the siginfo frame. */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); #ifdef VFP get_vfpcontext(td, &frame.sf_vfp); Modified: releng/12.0/sys/arm64/arm64/machdep.c ============================================================================== --- releng/12.0/sys/arm64/arm64/machdep.c Wed Nov 28 16:52:41 2018 (r341152) +++ releng/12.0/sys/arm64/arm64/machdep.c Wed Nov 28 16:58:35 2018 (r341153) @@ -656,6 +656,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask fp = (struct sigframe *)STACKALIGN(fp); /* Fill in the frame to copy out */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); get_fpcontext(td, &frame.sf_uc.uc_mcontext); frame.sf_si = ksi->ksi_info; Modified: releng/12.0/sys/riscv/riscv/machdep.c ============================================================================== --- releng/12.0/sys/riscv/riscv/machdep.c Wed Nov 28 16:52:41 2018 (r341152) +++ releng/12.0/sys/riscv/riscv/machdep.c Wed Nov 28 16:58:35 2018 (r341153) @@ -583,6 +583,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask fp = (struct sigframe *)STACKALIGN(fp); /* Fill in the frame to copy out */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); get_fpcontext(td, &frame.sf_uc.uc_mcontext); frame.sf_si = ksi->ksi_info;