Date: Sat, 7 Aug 2010 08:08:14 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: cvs-src-old@freebsd.org Subject: cvs commit: src/sys/fs/coda coda.h coda_venus.c coda_vnops.c Message-ID: <201008070808.o7788Z96044543@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
rwatson 2010-08-07 08:08:14 UTC
FreeBSD src repository
Modified files:
sys/fs/coda coda.h coda_venus.c coda_vnops.c
Log:
SVN rev 210997 on 2010-08-07 08:08:14Z by rwatson
Properly bounds check ioctl/pioctl data arguments for Coda:
1. Use unsigned rather than signed lengths
2. Bound messages to/from Venus to VC_MAXMSGSIZE
3. Bound messages to/from general user processes to VC_MAXDATASIZE
4. Update comment regarding data limits for pioctl
Without (1) and (3), it may be possible for unprivileged user processes to
read sensitive portions of kernel memory. This issue is only present if
the Coda kernel module is loaded and venus (the userspace Coda daemon) is
running and has /coda mounted.
As Coda is considered experimental and production use is warned against in
the coda(4) man page, and because Coda must be explicitly configured for a
configuration to be vulnerable, we won't be issuing a security advisory.
However, if you are using Coda, then you are advised to apply these fixes.
Reported by: Dan J. Rosenberg <drosenberg at vsecurity.com>
Obtained from: NetBSD (Christos Zoulas)
Security: Kernel memory disclosure; no advisory as feature experimental
MFC after: 3 days
Revision Changes Path
1.19 +4 -2 src/sys/fs/coda/coda.h
1.34 +6 -0 src/sys/fs/coda/coda_venus.c
1.103 +2 -1 src/sys/fs/coda/coda_vnops.c
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008070808.o7788Z96044543>