svn commit: r359142 - in releng: 11.3/sys/kern 12.1/sys/kern
Gordon Tetlow
gordon at FreeBSD.org
Thu Mar 19 16:51:35 UTC 2020
Author: gordon
Date: Thu Mar 19 16:51:33 2020
New Revision: 359142
URL: https://svnweb.freebsd.org/changeset/base/359142
Log:
Fix kernel memory disclosure with nested jails.
Approved by: so
Security: FreeBSD-SA-20:08.jail
Security: CVE-2020-7453
Modified:
releng/11.3/sys/kern/kern_jail.c
releng/12.1/sys/kern/kern_jail.c
Modified: releng/11.3/sys/kern/kern_jail.c
==============================================================================
--- releng/11.3/sys/kern/kern_jail.c Thu Mar 19 16:50:36 2020 (r359141)
+++ releng/11.3/sys/kern/kern_jail.c Thu Mar 19 16:51:33 2020 (r359142)
@@ -881,8 +881,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
"osrelease cannot be changed after creation");
goto done_errmsg;
}
- if (len == 0 || len >= OSRELEASELEN) {
+ if (len == 0 || osrelstr[len - 1] != '\0') {
error = EINVAL;
+ goto done_free;
+ }
+ if (len >= OSRELEASELEN) {
+ error = ENAMETOOLONG;
vfs_opterror(opts,
"osrelease string must be 1-%d bytes long",
OSRELEASELEN - 1);
@@ -1272,9 +1276,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
if (osrelstr == NULL)
- strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+ strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+ sizeof(pr->pr_osrelease));
else
- strcpy(pr->pr_osrelease, osrelstr);
+ strlcpy(pr->pr_osrelease, osrelstr,
+ sizeof(pr->pr_osrelease));
LIST_INIT(&pr->pr_children);
mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);
Modified: releng/12.1/sys/kern/kern_jail.c
==============================================================================
--- releng/12.1/sys/kern/kern_jail.c Thu Mar 19 16:50:36 2020 (r359141)
+++ releng/12.1/sys/kern/kern_jail.c Thu Mar 19 16:51:33 2020 (r359142)
@@ -862,8 +862,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
"osrelease cannot be changed after creation");
goto done_errmsg;
}
- if (len == 0 || len >= OSRELEASELEN) {
+ if (len == 0 || osrelstr[len - 1] != '\0') {
error = EINVAL;
+ goto done_free;
+ }
+ if (len >= OSRELEASELEN) {
+ error = ENAMETOOLONG;
vfs_opterror(opts,
"osrelease string must be 1-%d bytes long",
OSRELEASELEN - 1);
@@ -1253,9 +1257,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
if (osrelstr == NULL)
- strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+ strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+ sizeof(pr->pr_osrelease));
else
- strcpy(pr->pr_osrelease, osrelstr);
+ strlcpy(pr->pr_osrelease, osrelstr,
+ sizeof(pr->pr_osrelease));
LIST_INIT(&pr->pr_children);
mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);
More information about the svn-src-releng
mailing list