svn commit: r293907 - in head/sys: amd64/linux amd64/linux32 compat/linux i386/linux

Thu, 14 Jan 2016 02:19:35 -0800 

Author: glebius
Date: Thu Jan 14 10:13:58 2016
New Revision: 293907
URL: https://svnweb.freebsd.org/changeset/base/293907

Log:
  Change linux get_robust_list system call to match actual linux one.
  
  The set_robust_list system call request the kernel to record the head
  of the list of robust futexes owned by the calling thread. The head
  argument is the list head to record.
  The get_robust_list system call should return the head of the robust
  list of the thread whose thread id is specified in pid argument.
  The list head should be stored in the location pointed to by head
  argument.
  
  In contrast, our implemenattion of get_robust_list system call copies
  the known portion of memory pointed by recorded in set_robust_list
  system call pointer to the head of the robust list to the location
  pointed by head argument.
  
  So, it is possible for a local attacker to read portions of kernel
  memory, which may result in a privilege escalation.
  
  Submitted by: mjg
  Security:     SA-16:03.linux

Modified:
  head/sys/amd64/linux/syscalls.master
  head/sys/amd64/linux32/syscalls.master
  head/sys/compat/linux/linux_futex.c
  head/sys/i386/linux/syscalls.master

Modified: head/sys/amd64/linux/syscalls.master
==============================================================================
--- head/sys/amd64/linux/syscalls.master        Thu Jan 14 10:11:10 2016        
(r293906)
+++ head/sys/amd64/linux/syscalls.master        Thu Jan 14 10:13:58 2016        
(r293907)
@@ -461,8 +461,8 @@
 272    AUE_NULL        STD     { int linux_unshare(void); }
 273    AUE_NULL        STD     { int linux_set_robust_list(struct 
linux_robust_list_head *head, \
                                    l_size_t len); }
-274    AUE_NULL        STD     { int linux_get_robust_list(l_int pid, struct 
linux_robust_list_head *head, \
-                                   l_size_t *len); }
+274    AUE_NULL        STD     { int linux_get_robust_list(l_int pid, \
+                                   struct linux_robust_list_head **head, 
l_size_t *len); }
 275    AUE_NULL        STD     { int linux_splice(void); }
 276    AUE_NULL        STD     { int linux_tee(void); }
 277    AUE_NULL        STD     { int linux_sync_file_range(void); }

Modified: head/sys/amd64/linux32/syscalls.master
==============================================================================
--- head/sys/amd64/linux32/syscalls.master      Thu Jan 14 10:11:10 2016        
(r293906)
+++ head/sys/amd64/linux32/syscalls.master      Thu Jan 14 10:13:58 2016        
(r293907)
@@ -520,8 +520,8 @@
 ; linux 2.6.17:
 311    AUE_NULL        STD     { int linux_set_robust_list(struct 
linux_robust_list_head *head, \
                                        l_size_t len); }
-312    AUE_NULL        STD     { int linux_get_robust_list(l_int pid, struct 
linux_robust_list_head *head, \
-                                       l_size_t *len); }
+312    AUE_NULL        STD     { int linux_get_robust_list(l_int pid, \
+                                   struct linux_robust_list_head **head, 
l_size_t *len); }
 313    AUE_NULL        STD     { int linux_splice(void); }
 314    AUE_NULL        STD     { int linux_sync_file_range(void); }
 315    AUE_NULL        STD     { int linux_tee(void); }

Modified: head/sys/compat/linux/linux_futex.c
==============================================================================
--- head/sys/compat/linux/linux_futex.c Thu Jan 14 10:11:10 2016        
(r293906)
+++ head/sys/compat/linux/linux_futex.c Thu Jan 14 10:13:58 2016        
(r293907)
@@ -1131,7 +1131,7 @@ linux_get_robust_list(struct thread *td,
                return (EFAULT);
        }
 
-       error = copyout(head, args->head, sizeof(struct 
linux_robust_list_head));
+       error = copyout(&head, args->head, sizeof(head));
        if (error) {
                LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error,
                    error);

Modified: head/sys/i386/linux/syscalls.master
==============================================================================
--- head/sys/i386/linux/syscalls.master Thu Jan 14 10:11:10 2016        
(r293906)
+++ head/sys/i386/linux/syscalls.master Thu Jan 14 10:13:58 2016        
(r293907)
@@ -528,8 +528,8 @@
 ; linux 2.6.17:
 311    AUE_NULL        STD     { int linux_set_robust_list(struct 
linux_robust_list_head *head, \
                                        l_size_t len); }
-312    AUE_NULL        STD     { int linux_get_robust_list(l_int pid, struct 
linux_robust_list_head **head, \
-                                       l_size_t *len); }
+312    AUE_NULL        STD     { int linux_get_robust_list(l_int pid, \
+                                   struct linux_robust_list_head **head, 
l_size_t *len); }
 313    AUE_NULL        STD     { int linux_splice(void); }
 314    AUE_NULL        STD     { int linux_sync_file_range(void); }
 315    AUE_NULL        STD     { int linux_tee(void); }
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"

Reply via email to