Author: gordon
Date: Wed Nov 15 22:35:16 2017
New Revision: 325867
URL: https://svnweb.freebsd.org/changeset/base/325867
Log:
MFC r325865
Properly bzero kldstat structure to prevent kernel information leak.
Security: FreeBSD-SA-17:10.kldstat
Security: CVE-2017-1088
Modified:
stable/10/sys/compat/freebsd32/freebsd32_misc.c
stable/10/sys/kern/kern_linker.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/compat/freebsd32/freebsd32_misc.c
==============================================================================
--- stable/10/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:34:15
2017 (r325866)
+++ stable/10/sys/compat/freebsd32/freebsd32_misc.c Wed Nov 15 22:35:16
2017 (r325867)
@@ -3068,8 +3068,8 @@ freebsd32_copyout_strings(struct image_params *imgp)
int
freebsd32_kldstat(struct thread *td, struct freebsd32_kldstat_args *uap)
{
- struct kld_file_stat stat;
- struct kld32_file_stat stat32;
+ struct kld_file_stat *stat;
+ struct kld32_file_stat *stat32;
int error, version;
if ((error = copyin(&uap->stat->version, &version, sizeof(version)))
@@ -3079,17 +3079,22 @@ freebsd32_kldstat(struct thread *td, struct freebsd32_
version != sizeof(struct kld32_file_stat))
return (EINVAL);
- error = kern_kldstat(td, uap->fileid, &stat);
- if (error != 0)
- return (error);
-
- bcopy(&stat.name[0], &stat32.name[0], sizeof(stat.name));
- CP(stat, stat32, refs);
- CP(stat, stat32, id);
- PTROUT_CP(stat, stat32, address);
- CP(stat, stat32, size);
- bcopy(&stat.pathname[0], &stat32.pathname[0], sizeof(stat.pathname));
- return (copyout(&stat32, uap->stat, version));
+ stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO);
+ stat32 = malloc(sizeof(*stat32), M_TEMP, M_WAITOK | M_ZERO);
+ error = kern_kldstat(td, uap->fileid, stat);
+ if (error == 0) {
+ bcopy(&stat->name[0], &stat32->name[0], sizeof(stat->name));
+ CP(*stat, *stat32, refs);
+ CP(*stat, *stat32, id);
+ PTROUT_CP(*stat, *stat32, address);
+ CP(*stat, *stat32, size);
+ bcopy(&stat->pathname[0], &stat32->pathname[0],
+ sizeof(stat->pathname));
+ error = copyout(stat32, uap->stat, version);
+ }
+ free(stat, M_TEMP);
+ free(stat32, M_TEMP);
+ return (error);
}
int
Modified: stable/10/sys/kern/kern_linker.c
==============================================================================
--- stable/10/sys/kern/kern_linker.c Wed Nov 15 22:34:15 2017
(r325866)
+++ stable/10/sys/kern/kern_linker.c Wed Nov 15 22:35:16 2017
(r325867)
@@ -1223,7 +1223,7 @@ out:
int
sys_kldstat(struct thread *td, struct kldstat_args *uap)
{
- struct kld_file_stat stat;
+ struct kld_file_stat *stat;
int error, version;
/*
@@ -1236,10 +1236,12 @@ sys_kldstat(struct thread *td, struct kldstat_args *ua
version != sizeof(struct kld_file_stat))
return (EINVAL);
- error = kern_kldstat(td, uap->fileid, &stat);
- if (error != 0)
- return (error);
- return (copyout(&stat, uap->stat, version));
+ stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO);
+ error = kern_kldstat(td, uap->fileid, stat);
+ if (error == 0)
+ error = copyout(stat, uap->stat, version);
+ free(stat, M_TEMP);
+ return (error);
}
int
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
