From owner-svn-src-stable-11@freebsd.org Wed Mar 21 23:45:49 2018 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4F15F4EF60; Wed, 21 Mar 2018 23:45:48 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 94C736F580; Wed, 21 Mar 2018 23:45:48 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8B7C514F1; Wed, 21 Mar 2018 23:45:48 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2LNjmSc070956; Wed, 21 Mar 2018 23:45:48 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2LNjmTf070955; Wed, 21 Mar 2018 23:45:48 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201803212345.w2LNjmTf070955@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Wed, 21 Mar 2018 23:45:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r331330 - stable/11/sys/compat/svr4 X-SVN-Group: stable-11 X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: stable/11/sys/compat/svr4 X-SVN-Commit-Revision: 331330 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Mar 2018 23:45:49 -0000 Author: emaste Date: Wed Mar 21 23:45:48 2018 New Revision: 331330 URL: https://svnweb.freebsd.org/changeset/base/331330 Log: Fix kernel memory disclosure in svr4_sys_getdents64 svr4_sys_getdents64() copies a dirent structure to userland. When calculating the record length for any given dirent entry alignment is performed. However, the aligned bytes are not cleared, this will trigger an info leak. Direct commit to stable/11; this code does not exist in HEAD. This change to be merged from stable/11 to stable/10. Reported by: Ilja Van Sprundel MFC after: 3 days Security: Kernel memory disclosure (797) Sponsored by: The FreeBSD Foundation Modified: stable/11/sys/compat/svr4/svr4_misc.c Modified: stable/11/sys/compat/svr4/svr4_misc.c ============================================================================== --- stable/11/sys/compat/svr4/svr4_misc.c Wed Mar 21 23:26:42 2018 (r331329) +++ stable/11/sys/compat/svr4/svr4_misc.c Wed Mar 21 23:45:48 2018 (r331330) @@ -259,6 +259,7 @@ svr4_sys_getdents64(td, uap) u_long *cookies = NULL, *cookiep; int ncookies; + memset(&svr4_dirent, 0, sizeof(svr4_dirent)); DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n", uap->fd, uap->nbytes)); error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);