From owner-svn-src-releng@freebsd.org Wed Nov 15 22:40:16 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88E4CDE9503; Wed, 15 Nov 2017 22:40:16 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 55C797EFE7; Wed, 15 Nov 2017 22:40:16 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vAFMeFj0006276; Wed, 15 Nov 2017 22:40:15 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vAFMeFSi006275; Wed, 15 Nov 2017 22:40:15 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201711152240.vAFMeFSi006275@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Wed, 15 Nov 2017 22:40:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r325869 - releng/11.0/sys/kern X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: releng/11.0/sys/kern X-SVN-Commit-Revision: 325869 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 22:40:16 -0000 Author: gordon Date: Wed Nov 15 22:40:15 2017 New Revision: 325869 URL: https://svnweb.freebsd.org/changeset/base/325869 Log: Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08] Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086 Modified: releng/11.0/sys/kern/sys_process.c Modified: releng/11.0/sys/kern/sys_process.c ============================================================================== --- releng/11.0/sys/kern/sys_process.c Wed Nov 15 22:39:41 2017 (r325868) +++ releng/11.0/sys/kern/sys_process.c Wed Nov 15 22:40:15 2017 (r325869) @@ -518,6 +518,7 @@ ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl, struct ptrace_lwpinfo32 *pl32) { + bzero(pl32, sizeof(*pl32)); pl32->pl_lwpid = pl->pl_lwpid; pl32->pl_event = pl->pl_event; pl32->pl_flags = pl->pl_flags; @@ -1229,6 +1230,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi } else #endif pl = addr; + bzero(pl, sizeof(*pl)); pl->pl_lwpid = td2->td_tid; pl->pl_event = PL_EVENT_NONE; pl->pl_flags = 0; @@ -1249,8 +1251,6 @@ kern_ptrace(struct thread *td, int req, pid_t pid, voi pl->pl_siginfo = td2->td_dbgksi.ksi_info; } } - if ((pl->pl_flags & PL_FLAG_SI) == 0) - bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo)); if (td2->td_dbgflags & TDB_SCE) pl->pl_flags |= PL_FLAG_SCE; else if (td2->td_dbgflags & TDB_SCX)