Author: bz
Date: Sat Mar 14 14:04:55 2020
New Revision: 358992
URL: https://svnweb.freebsd.org/changeset/base/358992

Log:
  kern_jail: missing \0 termination check on osrelease parameter
  
  If a user spplies a non-\0 terminated osrelease parameter reading it back
  may disclose kernel memory.
  This is a problem in case of nested jails (children.max > 0, which is not
  the default).  Otherwise root outside the jail has access to kernel memory
  by other means and root inside a jail cannot create a child jail.
  
  Add the proper \0 check at the end of a supplied osrelease parameter and
  make sure any copies of the field will be \0-terminated.
  
  Submitted by: Hans Christian Woithe (chwoithe yahoo.com)
  MFC after:    3 days

Modified:
  head/sys/kern/kern_jail.c

Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c   Sat Mar 14 11:55:27 2020        (r358991)
+++ head/sys/kern/kern_jail.c   Sat Mar 14 14:04:55 2020        (r358992)
@@ -865,8 +865,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
                            "osrelease cannot be changed after creation");
                        goto done_errmsg;
                }
-               if (len == 0 || len >= OSRELEASELEN) {
+               if (len == 0 || osrelstr[len - 1] != '\0') {
                        error = EINVAL;
+                       goto done_free;
+               }
+               if (len >= OSRELEASELEN) {
+                       error = ENAMETOOLONG;
                        vfs_opterror(opts,
                            "osrelease string must be 1-%d bytes long",
                            OSRELEASELEN - 1);
@@ -1241,9 +1245,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
 
                pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
                if (osrelstr == NULL)
-                   strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+                       strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+                           sizeof(pr->pr_osrelease));
                else
-                   strcpy(pr->pr_osrelease, osrelstr);
+                       strlcpy(pr->pr_osrelease, osrelstr,
+                           sizeof(pr->pr_osrelease));
 
                LIST_INIT(&pr->pr_children);
                mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to