kern

Gordon Tetlow Wed, 15 Nov 2017 14:51:17 -0800

Author: gordon
Date: Wed Nov 15 22:49:47 2017
New Revision: 325875
URL: https://svnweb.freebsd.org/changeset/base/325875


Log:
  Properly bzero kldstat structure to prevent information leak. [SA-17:10]
  
  Approved by:  so
  Security:     FreeBSD-SA-17:10.kldstat
  Security:     CVE-2017-1088

Modified:
  releng/11.1/UPDATING
  releng/11.1/sys/compat/freebsd32/freebsd32_misc.c
  releng/11.1/sys/conf/newvers.sh
  releng/11.1/sys/kern/kern_linker.c

Modified: releng/11.1/UPDATING
==============================================================================
--- releng/11.1/UPDATING        Wed Nov 15 22:45:50 2017        (r325874)
+++ releng/11.1/UPDATING        Wed Nov 15 22:49:47 2017        (r325875)
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG and 
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.
 
+20171115       p3      FreeBSD-SA-17:08.ptrace
+                       FreeBSD-SA-17:10.kldstat
+
+       Fix ptrace(2) vulnerability. [SA-17:08.ptrace]
+
+       Fix kldstat(2) vulnerability. [SA-17:10.kldstat]
+
 20171102       p3      FreeBSD-EN-17:09.tzdata
 
        Update timezone database information. [EN-17:09]

Modified: releng/11.1/sys/compat/freebsd32/freebsd32_misc.c
==============================================================================
--- releng/11.1/sys/compat/freebsd32/freebsd32_misc.c   Wed Nov 15 22:45:50 
2017        (r325874)
+++ releng/11.1/sys/compat/freebsd32/freebsd32_misc.c   Wed Nov 15 22:49:47 
2017        (r325875)
@@ -2950,8 +2950,8 @@ freebsd32_copyout_strings(struct image_params *imgp)
 int
 freebsd32_kldstat(struct thread *td, struct freebsd32_kldstat_args *uap)
 {
-       struct kld_file_stat stat;
-       struct kld32_file_stat stat32;
+       struct kld_file_stat *stat;
+       struct kld32_file_stat *stat32;
        int error, version;
 
        if ((error = copyin(&uap->stat->version, &version, sizeof(version)))
@@ -2961,17 +2961,22 @@ freebsd32_kldstat(struct thread *td, struct freebsd32_
            version != sizeof(struct kld32_file_stat))
                return (EINVAL);
 
-       error = kern_kldstat(td, uap->fileid, &stat);
-       if (error != 0)
-               return (error);
-
-       bcopy(&stat.name[0], &stat32.name[0], sizeof(stat.name));
-       CP(stat, stat32, refs);
-       CP(stat, stat32, id);
-       PTROUT_CP(stat, stat32, address);
-       CP(stat, stat32, size);
-       bcopy(&stat.pathname[0], &stat32.pathname[0], sizeof(stat.pathname));
-       return (copyout(&stat32, uap->stat, version));
+       stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO);
+       stat32 = malloc(sizeof(*stat32), M_TEMP, M_WAITOK | M_ZERO);
+       error = kern_kldstat(td, uap->fileid, stat);
+       if (error == 0) {
+               bcopy(&stat->name[0], &stat32->name[0], sizeof(stat->name));
+               CP(*stat, *stat32, refs);
+               CP(*stat, *stat32, id);
+               PTROUT_CP(*stat, *stat32, address);
+               CP(*stat, *stat32, size);
+               bcopy(&stat->pathname[0], &stat32->pathname[0],
+                   sizeof(stat->pathname));
+               error = copyout(stat32, uap->stat, version);
+       }
+       free(stat, M_TEMP);
+       free(stat32, M_TEMP);
+       return (error);
 }
 
 int

Modified: releng/11.1/sys/conf/newvers.sh
==============================================================================
--- releng/11.1/sys/conf/newvers.sh     Wed Nov 15 22:45:50 2017        
(r325874)
+++ releng/11.1/sys/conf/newvers.sh     Wed Nov 15 22:49:47 2017        
(r325875)
@@ -44,7 +44,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.1"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
        BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/11.1/sys/kern/kern_linker.c
==============================================================================
--- releng/11.1/sys/kern/kern_linker.c  Wed Nov 15 22:45:50 2017        
(r325874)
+++ releng/11.1/sys/kern/kern_linker.c  Wed Nov 15 22:49:47 2017        
(r325875)
@@ -1201,7 +1201,7 @@ out:
 int
 sys_kldstat(struct thread *td, struct kldstat_args *uap)
 {
-       struct kld_file_stat stat;
+       struct kld_file_stat *stat;
        int error, version;
 
        /*
@@ -1214,10 +1214,12 @@ sys_kldstat(struct thread *td, struct kldstat_args *ua
            version != sizeof(struct kld_file_stat))
                return (EINVAL);
 
-       error = kern_kldstat(td, uap->fileid, &stat);
-       if (error != 0)
-               return (error);
-       return (copyout(&stat, uap->stat, version));
+       stat = malloc(sizeof(*stat), M_TEMP, M_WAITOK | M_ZERO);
+       error = kern_kldstat(td, uap->fileid, stat);
+       if (error == 0)
+               error = copyout(stat, uap->stat, version);
+       free(stat, M_TEMP);
+       return (error);
 }
 
 int
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r325875 - in releng/11.1: . sys/compat/freebsd32 sys/conf sys/kern

Reply via email to