Date: Mon, 26 Nov 2018 20:52:54 +0000 (UTC) From: Eric van Gyzen <vangyzen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r340995 - in head/sys: arm/arm arm64/arm64 riscv/riscv Message-ID: <201811262052.wAQKqsPi022337@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: vangyzen Date: Mon Nov 26 20:52:53 2018 New Revision: 340995 URL: https://svnweb.freebsd.org/changeset/base/340995 Log: Prevent kernel stack disclosure in signal delivery On arm64 and riscv platforms, sendsig() failed to zero the signal frame before copying it out to userspace. Zero it. On arm, I believe all the contents of the frame were initialized, so there was no disclosure. However, explicitly zero the whole frame because that fact could inadvertently change in the future, it's more clear to the reader, and I could be wrong in the first place. MFC after: 2 days Security: similar to FreeBSD-EN-18:12.mem and CVE-2018-17155 Sponsored by: Dell EMC Isilon Modified: head/sys/arm/arm/machdep.c head/sys/arm64/arm64/machdep.c head/sys/riscv/riscv/machdep.c Modified: head/sys/arm/arm/machdep.c ============================================================================== --- head/sys/arm/arm/machdep.c Mon Nov 26 20:50:55 2018 (r340994) +++ head/sys/arm/arm/machdep.c Mon Nov 26 20:52:53 2018 (r340995) @@ -641,6 +641,7 @@ sendsig(catcher, ksi, mask) /* make the stack aligned */ fp = (struct sigframe *)STACKALIGN(fp); /* Populate the siginfo frame. */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); #ifdef VFP get_vfpcontext(td, &frame.sf_vfp); Modified: head/sys/arm64/arm64/machdep.c ============================================================================== --- head/sys/arm64/arm64/machdep.c Mon Nov 26 20:50:55 2018 (r340994) +++ head/sys/arm64/arm64/machdep.c Mon Nov 26 20:52:53 2018 (r340995) @@ -656,6 +656,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask fp = (struct sigframe *)STACKALIGN(fp); /* Fill in the frame to copy out */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); get_fpcontext(td, &frame.sf_uc.uc_mcontext); frame.sf_si = ksi->ksi_info; Modified: head/sys/riscv/riscv/machdep.c ============================================================================== --- head/sys/riscv/riscv/machdep.c Mon Nov 26 20:50:55 2018 (r340994) +++ head/sys/riscv/riscv/machdep.c Mon Nov 26 20:52:53 2018 (r340995) @@ -582,6 +582,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask fp = (struct sigframe *)STACKALIGN(fp); /* Fill in the frame to copy out */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); get_fpcontext(td, &frame.sf_uc.uc_mcontext); frame.sf_si = ksi->ksi_info;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811262052.wAQKqsPi022337>