svn commit: r331329 - head/sys/i386/ibcs2
Ed Maste
emaste at FreeBSD.org
Wed Mar 21 23:26:43 UTC 2018
Author: emaste
Date: Wed Mar 21 23:26:42 2018
New Revision: 331329
URL: https://svnweb.freebsd.org/changeset/base/331329
Log:
Fix kernel memory disclosure in ibcs2_getdents
ibcs2_getdents() copies a dirent structure to userland. The ibcs2
dirent structure contains a 2 byte pad element. This element is never
initialized, but copied to userland none-the-less.
Note that ibcs2 has not built on HEAD since r302095.
Submitted by: Domagoj Stolfa <ds815 at cam.ac.uk>
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
MFC after: 3 days
Security: Kernel memory disclosure (803)
Modified:
head/sys/i386/ibcs2/ibcs2_misc.c
Modified: head/sys/i386/ibcs2/ibcs2_misc.c
==============================================================================
--- head/sys/i386/ibcs2/ibcs2_misc.c Wed Mar 21 23:21:32 2018 (r331328)
+++ head/sys/i386/ibcs2/ibcs2_misc.c Wed Mar 21 23:26:42 2018 (r331329)
@@ -330,6 +330,7 @@ ibcs2_getdents(struct thread *td, struct ibcs2_getdent
#define BSD_DIRENT(cp) ((struct dirent *)(cp))
#define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short))
+ memset(&idb, 0, sizeof(idb));
error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
if (error != 0)
return (error);
More information about the svn-src-head
mailing list