Author: emaste
Date: Thu Mar 29 22:31:14 2018
New Revision: 331749
URL: https://svnweb.freebsd.org/changeset/base/331749
Log:
MF11 r331330: Fix kernel memory disclosure in svr4_sys_getdents64
svr4_sys_getdents64() copies a dirent structure to userland. When
calculating the record length for any given dirent entry alignment is
performed. However, the aligned bytes are not cleared, this will
trigger an info leak.
Reported by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Security: Kernel memory disclosure (801)
Sponsored by: The FreeBSD Foundation
Modified:
stable/10/sys/compat/svr4/svr4_misc.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/compat/svr4/svr4_misc.c
==============================================================================
--- stable/10/sys/compat/svr4/svr4_misc.c Thu Mar 29 20:39:05 2018
(r331748)
+++ stable/10/sys/compat/svr4/svr4_misc.c Thu Mar 29 22:31:14 2018
(r331749)
@@ -260,6 +260,7 @@ svr4_sys_getdents64(td, uap)
u_long *cookies = NULL, *cookiep;
int ncookies;
+ memset(&svr4_dirent, 0, sizeof(svr4_dirent));
DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
uap->fd, uap->nbytes));
error = getvnode(td->td_proc->p_fd, uap->fd,
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
