[Bug 237922] Kernel stack disclosure in function freebsd32_swapcontext of sys/arm64/arm64/freebsd32_machdep.c
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu May 16 11:59:05 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237922
Bug ID: 237922
Summary: Kernel stack disclosure in function
freebsd32_swapcontext of
sys/arm64/arm64/freebsd32_machdep.c
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: yangx92 at hotmail.com
There is a kernel stack disclosure vulnerability in function
freebsd32_swapcontext of sys/arm64/arm64/freebsd32_machdep.c.
int
freebsd32_swapcontext(struct thread *td, struct freebsd32_swapcontext_args
*uap)
{
ucontext32_t uc;
int ret;
if (uap->oucp == NULL || uap->ucp == NULL)
ret = EINVAL;
else {
+ bzero(&uc, sizeof(uc));
get_mcontext32(td, &uc.uc_mcontext, GET_MC_CLEAR_RET);
PROC_LOCK(td->td_proc);
uc.uc_sigmask = td->td_sigmask;
PROC_UNLOCK(td->td_proc);
ret = copyout(&uc, uap->oucp, UC32_COPY_SIZE);
if (ret == 0) {
ret = copyin(uap->ucp, &uc, UC32_COPY_SIZE);
if (ret == 0) {
ret = set_mcontext32(td, &uc.uc_mcontext);
kern_sigprocmask(td, SIG_SETMASK,
&uc.uc_sigmask, NULL, 0);
}
}
}
return (ret);
}
There is no initialization in else branch, which can lead to leaking stack
information to user space. This is the vulnerability that are same with
CVE-2018-17155 which was fixed in
https://github.com/freebsd/freebsd/commit/ca2c73670f229fe64818fd64c8cdd5b517912966.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list