From owner-svn-src-all@freebsd.org Thu Jan 14 10:14:00 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4FB65A827A0; Thu, 14 Jan 2016 10:14:00 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 292A21E65; Thu, 14 Jan 2016 10:14:00 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u0EADx4W040356; Thu, 14 Jan 2016 10:13:59 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u0EADwXU040352; Thu, 14 Jan 2016 10:13:58 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201601141013.u0EADwXU040352@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Thu, 14 Jan 2016 10:13:58 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r293907 - in head/sys: amd64/linux amd64/linux32 compat/linux i386/linux X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 10:14:00 -0000 Author: glebius Date: Thu Jan 14 10:13:58 2016 New Revision: 293907 URL: https://svnweb.freebsd.org/changeset/base/293907 Log: Change linux get_robust_list system call to match actual linux one. The set_robust_list system call request the kernel to record the head of the list of robust futexes owned by the calling thread. The head argument is the list head to record. The get_robust_list system call should return the head of the robust list of the thread whose thread id is specified in pid argument. The list head should be stored in the location pointed to by head argument. In contrast, our implemenattion of get_robust_list system call copies the known portion of memory pointed by recorded in set_robust_list system call pointer to the head of the robust list to the location pointed by head argument. So, it is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation. Submitted by: mjg Security: SA-16:03.linux Modified: head/sys/amd64/linux/syscalls.master head/sys/amd64/linux32/syscalls.master head/sys/compat/linux/linux_futex.c head/sys/i386/linux/syscalls.master Modified: head/sys/amd64/linux/syscalls.master ============================================================================== --- head/sys/amd64/linux/syscalls.master Thu Jan 14 10:11:10 2016 (r293906) +++ head/sys/amd64/linux/syscalls.master Thu Jan 14 10:13:58 2016 (r293907) @@ -461,8 +461,8 @@ 272 AUE_NULL STD { int linux_unshare(void); } 273 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \ l_size_t len); } -274 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \ - l_size_t *len); } +274 AUE_NULL STD { int linux_get_robust_list(l_int pid, \ + struct linux_robust_list_head **head, l_size_t *len); } 275 AUE_NULL STD { int linux_splice(void); } 276 AUE_NULL STD { int linux_tee(void); } 277 AUE_NULL STD { int linux_sync_file_range(void); } Modified: head/sys/amd64/linux32/syscalls.master ============================================================================== --- head/sys/amd64/linux32/syscalls.master Thu Jan 14 10:11:10 2016 (r293906) +++ head/sys/amd64/linux32/syscalls.master Thu Jan 14 10:13:58 2016 (r293907) @@ -520,8 +520,8 @@ ; linux 2.6.17: 311 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \ l_size_t len); } -312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \ - l_size_t *len); } +312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \ + struct linux_robust_list_head **head, l_size_t *len); } 313 AUE_NULL STD { int linux_splice(void); } 314 AUE_NULL STD { int linux_sync_file_range(void); } 315 AUE_NULL STD { int linux_tee(void); } Modified: head/sys/compat/linux/linux_futex.c ============================================================================== --- head/sys/compat/linux/linux_futex.c Thu Jan 14 10:11:10 2016 (r293906) +++ head/sys/compat/linux/linux_futex.c Thu Jan 14 10:13:58 2016 (r293907) @@ -1131,7 +1131,7 @@ linux_get_robust_list(struct thread *td, return (EFAULT); } - error = copyout(head, args->head, sizeof(struct linux_robust_list_head)); + error = copyout(&head, args->head, sizeof(head)); if (error) { LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error, error); Modified: head/sys/i386/linux/syscalls.master ============================================================================== --- head/sys/i386/linux/syscalls.master Thu Jan 14 10:11:10 2016 (r293906) +++ head/sys/i386/linux/syscalls.master Thu Jan 14 10:13:58 2016 (r293907) @@ -528,8 +528,8 @@ ; linux 2.6.17: 311 AUE_NULL STD { int linux_set_robust_list(struct linux_robust_list_head *head, \ l_size_t len); } -312 AUE_NULL STD { int linux_get_robust_list(l_int pid, struct linux_robust_list_head **head, \ - l_size_t *len); } +312 AUE_NULL STD { int linux_get_robust_list(l_int pid, \ + struct linux_robust_list_head **head, l_size_t *len); } 313 AUE_NULL STD { int linux_splice(void); } 314 AUE_NULL STD { int linux_sync_file_range(void); } 315 AUE_NULL STD { int linux_tee(void); }