svn commit: r359020 - stable/11/sys/kern

Bjoern A. Zeeb bz at FreeBSD.org
Mon Mar 16 21:12:34 UTC 2020 

Author: bz
Date: Mon Mar 16 21:12:32 2020
New Revision: 359020
URL: https://svnweb.freebsd.org/changeset/base/359020

Log:
  MFC r358992:
  
    kern_jail: missing \0 termination check on osrelease parameter
  
    If a user spplies a non-\0 terminated osrelease parameter reading it back
    may disclose kernel memory.
    This is a problem in case of nested jails (children.max > 0, which is not
    the default).  Otherwise root outside the jail has access to kernel memory
    by other means and root inside a jail cannot create a child jail.
  
    Add the proper \0 check at the end of a supplied osrelease parameter and
    make sure any copies of the field will be \0-terminated.
  
    Submitted by:	Hans Christian Woithe (chwoithe yahoo.com)

Modified:
  stable/11/sys/kern/kern_jail.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/kern/kern_jail.c
==============================================================================
--- stable/11/sys/kern/kern_jail.c	Mon Mar 16 19:33:50 2020	(r359019)
+++ stable/11/sys/kern/kern_jail.c	Mon Mar 16 21:12:32 2020	(r359020)
@@ -881,8 +881,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 			    "osrelease cannot be changed after creation");
 			goto done_errmsg;
 		}
-		if (len == 0 || len >= OSRELEASELEN) {
+		if (len == 0 || osrelstr[len - 1] != '\0') {
 			error = EINVAL;
+			goto done_free;
+		}
+		if (len >= OSRELEASELEN) {
+			error = ENAMETOOLONG;
 			vfs_opterror(opts,
 			    "osrelease string must be 1-%d bytes long",
 			    OSRELEASELEN - 1);
@@ -1272,9 +1276,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 
 		pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
 		if (osrelstr == NULL)
-		    strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+			strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+			    sizeof(pr->pr_osrelease));
 		else
-		    strcpy(pr->pr_osrelease, osrelstr);
+			strlcpy(pr->pr_osrelease, osrelstr,
+			    sizeof(pr->pr_osrelease));
 
 		LIST_INIT(&pr->pr_children);
 		mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);

More information about the svn-src-all mailing list