svn commit: r341153 - in releng/12.0/sys: arm/arm arm64/arm64 riscv/riscv

Eric van Gyzen vangyzen at FreeBSD.org
Wed Nov 28 16:58:37 UTC 2018 

Author: vangyzen
Date: Wed Nov 28 16:58:35 2018
New Revision: 341153
URL: https://svnweb.freebsd.org/changeset/base/341153

Log:
  MFS r341147
  
  MFC r340995
  
  Prevent kernel stack disclosure in signal delivery
  
  On arm64 and riscv platforms, sendsig() failed to zero the signal
  frame before copying it out to userspace.  Zero it.
  
  On arm, I believe all the contents of the frame were initialized,
  so there was no disclosure.  However, explicitly zero the whole frame
  because that fact could inadvertently change in the future,
  it's more clear to the reader, and I could be wrong in the first place.
  
  Approved by:	re (gjb)
  Security:	similar to FreeBSD-EN-18:12.mem and CVE-2018-17155
  Sponsored by:	Dell EMC Isilon

Modified:
  releng/12.0/sys/arm/arm/machdep.c
  releng/12.0/sys/arm64/arm64/machdep.c
  releng/12.0/sys/riscv/riscv/machdep.c
Directory Properties:
  releng/12.0/   (props changed)

Modified: releng/12.0/sys/arm/arm/machdep.c
==============================================================================
--- releng/12.0/sys/arm/arm/machdep.c	Wed Nov 28 16:52:41 2018	(r341152)
+++ releng/12.0/sys/arm/arm/machdep.c	Wed Nov 28 16:58:35 2018	(r341153)
@@ -641,6 +641,7 @@ sendsig(catcher, ksi, mask)
 	/* make the stack aligned */
 	fp = (struct sigframe *)STACKALIGN(fp);
 	/* Populate the siginfo frame. */
+	bzero(&frame, sizeof(frame));
 	get_mcontext(td, &frame.sf_uc.uc_mcontext, 0);
 #ifdef VFP
 	get_vfpcontext(td, &frame.sf_vfp);

Modified: releng/12.0/sys/arm64/arm64/machdep.c
==============================================================================
--- releng/12.0/sys/arm64/arm64/machdep.c	Wed Nov 28 16:52:41 2018	(r341152)
+++ releng/12.0/sys/arm64/arm64/machdep.c	Wed Nov 28 16:58:35 2018	(r341153)
@@ -656,6 +656,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask
 	fp = (struct sigframe *)STACKALIGN(fp);
 
 	/* Fill in the frame to copy out */
+	bzero(&frame, sizeof(frame));
 	get_mcontext(td, &frame.sf_uc.uc_mcontext, 0);
 	get_fpcontext(td, &frame.sf_uc.uc_mcontext);
 	frame.sf_si = ksi->ksi_info;

Modified: releng/12.0/sys/riscv/riscv/machdep.c
==============================================================================
--- releng/12.0/sys/riscv/riscv/machdep.c	Wed Nov 28 16:52:41 2018	(r341152)
+++ releng/12.0/sys/riscv/riscv/machdep.c	Wed Nov 28 16:58:35 2018	(r341153)
@@ -583,6 +583,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask
 	fp = (struct sigframe *)STACKALIGN(fp);
 
 	/* Fill in the frame to copy out */
+	bzero(&frame, sizeof(frame));
 	get_mcontext(td, &frame.sf_uc.uc_mcontext, 0);
 	get_fpcontext(td, &frame.sf_uc.uc_mcontext);
 	frame.sf_si = ksi->ksi_info;

More information about the svn-src-all mailing list