Author: emaste
Date: Wed Mar 28 13:41:43 2018
New Revision: 331670
URL: https://svnweb.freebsd.org/changeset/base/331670
Log:
MFC r331329: Fix kernel memory disclosure in ibcs2_getdents
ibcs2_getdents() copies a dirent structure to userland. The ibcs2
dirent structure contains a 2 byte pad element. This element is never
initialized, but copied to userland none-the-less.
Note that ibcs2 has not built on HEAD since r302095.
Submitted by: Domagoj Stolfa <ds...@cam.ac.uk>
Reported by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Security: Kernel memory disclosure (803)
Sponsored by: The FreeBSD Foundation
Modified:
stable/11/sys/i386/ibcs2/ibcs2_misc.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/i386/ibcs2/ibcs2_misc.c
==============================================================================
--- stable/11/sys/i386/ibcs2/ibcs2_misc.c Wed Mar 28 13:39:20 2018
(r331669)
+++ stable/11/sys/i386/ibcs2/ibcs2_misc.c Wed Mar 28 13:41:43 2018
(r331670)
@@ -330,6 +330,7 @@ ibcs2_getdents(struct thread *td, struct ibcs2_getdent
#define BSD_DIRENT(cp) ((struct dirent *)(cp))
#define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short))
+ memset(&idb, 0, sizeof(idb));
error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
if (error != 0)
return (error);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
