Date: Thu, 29 Mar 2018 22:31:14 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r331749 - stable/10/sys/compat/svr4 Message-ID: <201803292231.w2TMVEA2070745@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Thu Mar 29 22:31:14 2018 New Revision: 331749 URL: https://svnweb.freebsd.org/changeset/base/331749 Log: MF11 r331330: Fix kernel memory disclosure in svr4_sys_getdents64 svr4_sys_getdents64() copies a dirent structure to userland. When calculating the record length for any given dirent entry alignment is performed. However, the aligned bytes are not cleared, this will trigger an info leak. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Security: Kernel memory disclosure (801) Sponsored by: The FreeBSD Foundation Modified: stable/10/sys/compat/svr4/svr4_misc.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/compat/svr4/svr4_misc.c ============================================================================== --- stable/10/sys/compat/svr4/svr4_misc.c Thu Mar 29 20:39:05 2018 (r331748) +++ stable/10/sys/compat/svr4/svr4_misc.c Thu Mar 29 22:31:14 2018 (r331749) @@ -260,6 +260,7 @@ svr4_sys_getdents64(td, uap) u_long *cookies = NULL, *cookiep; int ncookies; + memset(&svr4_dirent, 0, sizeof(svr4_dirent)); DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n", uap->fd, uap->nbytes)); error = getvnode(td->td_proc->p_fd, uap->fd,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803292231.w2TMVEA2070745>