Date: Wed, 28 Mar 2018 13:44:02 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r331671 - stable/10/sys/i386/ibcs2 Message-ID: <201803281344.w2SDi2Fp075438@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Wed Mar 28 13:44:02 2018 New Revision: 331671 URL: https://svnweb.freebsd.org/changeset/base/331671 Log: MFC r331329: Fix kernel memory disclosure in ibcs2_getdents ibcs2_getdents() copies a dirent structure to userland. The ibcs2 dirent structure contains a 2 byte pad element. This element is never initialized, but copied to userland none-the-less. Note that ibcs2 has not built on HEAD since r302095. Submitted by: Domagoj Stolfa <ds815@cam.ac.uk> Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> Security: Kernel memory disclosure (803) Sponsored by: The FreeBSD Foundation Modified: stable/10/sys/i386/ibcs2/ibcs2_misc.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/i386/ibcs2/ibcs2_misc.c ============================================================================== --- stable/10/sys/i386/ibcs2/ibcs2_misc.c Wed Mar 28 13:41:43 2018 (r331670) +++ stable/10/sys/i386/ibcs2/ibcs2_misc.c Wed Mar 28 13:44:02 2018 (r331671) @@ -352,6 +352,7 @@ ibcs2_getdents(td, uap) #define BSD_DIRENT(cp) ((struct dirent *)(cp)) #define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short)) + memset(&idb, 0, sizeof(idb)); error = getvnode(td->td_proc->p_fd, uap->fd, cap_rights_init(&rights, CAP_READ), &fp); if (error != 0)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803281344.w2SDi2Fp075438>