Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Mar 2020 16:51:33 +0000 (UTC)
From:      Gordon Tetlow <gordon@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r359142 - in releng: 11.3/sys/kern 12.1/sys/kern
Message-ID:  <202003191651.02JGpX9E025769@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: gordon
Date: Thu Mar 19 16:51:33 2020
New Revision: 359142
URL: https://svnweb.freebsd.org/changeset/base/359142

Log:
  Fix kernel memory disclosure with nested jails.
  
  Approved by:	so
  Security:	FreeBSD-SA-20:08.jail
  Security:	CVE-2020-7453

Modified:
  releng/11.3/sys/kern/kern_jail.c
  releng/12.1/sys/kern/kern_jail.c

Modified: releng/11.3/sys/kern/kern_jail.c
==============================================================================
--- releng/11.3/sys/kern/kern_jail.c	Thu Mar 19 16:50:36 2020	(r359141)
+++ releng/11.3/sys/kern/kern_jail.c	Thu Mar 19 16:51:33 2020	(r359142)
@@ -881,8 +881,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 			    "osrelease cannot be changed after creation");
 			goto done_errmsg;
 		}
-		if (len == 0 || len >= OSRELEASELEN) {
+		if (len == 0 || osrelstr[len - 1] != '\0') {
 			error = EINVAL;
+			goto done_free;
+		}
+		if (len >= OSRELEASELEN) {
+			error = ENAMETOOLONG;
 			vfs_opterror(opts,
 			    "osrelease string must be 1-%d bytes long",
 			    OSRELEASELEN - 1);
@@ -1272,9 +1276,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 
 		pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
 		if (osrelstr == NULL)
-		    strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+			strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+			    sizeof(pr->pr_osrelease));
 		else
-		    strcpy(pr->pr_osrelease, osrelstr);
+			strlcpy(pr->pr_osrelease, osrelstr,
+			    sizeof(pr->pr_osrelease));
 
 		LIST_INIT(&pr->pr_children);
 		mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);

Modified: releng/12.1/sys/kern/kern_jail.c
==============================================================================
--- releng/12.1/sys/kern/kern_jail.c	Thu Mar 19 16:50:36 2020	(r359141)
+++ releng/12.1/sys/kern/kern_jail.c	Thu Mar 19 16:51:33 2020	(r359142)
@@ -862,8 +862,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 			    "osrelease cannot be changed after creation");
 			goto done_errmsg;
 		}
-		if (len == 0 || len >= OSRELEASELEN) {
+		if (len == 0 || osrelstr[len - 1] != '\0') {
 			error = EINVAL;
+			goto done_free;
+		}
+		if (len >= OSRELEASELEN) {
+			error = ENAMETOOLONG;
 			vfs_opterror(opts,
 			    "osrelease string must be 1-%d bytes long",
 			    OSRELEASELEN - 1);
@@ -1253,9 +1257,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 
 		pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
 		if (osrelstr == NULL)
-		    strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+			strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+			    sizeof(pr->pr_osrelease));
 		else
-		    strcpy(pr->pr_osrelease, osrelstr);
+			strlcpy(pr->pr_osrelease, osrelstr,
+			    sizeof(pr->pr_osrelease));
 
 		LIST_INIT(&pr->pr_children);
 		mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202003191651.02JGpX9E025769>