diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2018-12-03 20:54:17 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2018-12-03 20:54:17 +0000 |
| commit | 352aaa51225671cce8ea44347e6f5a1e5f7daaf8 (patch) | |
| tree | 2f36a07a27f15119d23554d908ac9bf58735e5dc /sys/fs | |
| parent | 4903c73faf1b23112000d59ebdd9f875650d0689 (diff) | |
| download | src-352aaa51225671cce8ea44347e6f5a1e5f7daaf8.tar.gz src-352aaa51225671cce8ea44347e6f5a1e5f7daaf8.zip | |
Plug memory disclosures via ptrace(2).
On some architectures, the structures returned by PT_GET*REGS were not
fully populated and could contain uninitialized stack memory. The same
issue existed with the register files in procfs.
Reported by: Thomas Barabosch, Fraunhofer FKIE
Reviewed by: kib
MFC after: 3 days
Security: kernel stack memory disclosure
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18421
Notes
Notes:
svn path=/head/; revision=341442
Diffstat (limited to 'sys/fs')
| -rw-r--r-- | sys/fs/procfs/procfs_dbregs.c | 4 | ||||
| -rw-r--r-- | sys/fs/procfs/procfs_fpregs.c | 5 | ||||
| -rw-r--r-- | sys/fs/procfs/procfs_regs.c | 5 |
3 files changed, 9 insertions, 5 deletions
diff --git a/sys/fs/procfs/procfs_dbregs.c b/sys/fs/procfs/procfs_dbregs.c index 25f6e9565c63..8d2206d2995c 100644 --- a/sys/fs/procfs/procfs_dbregs.c +++ b/sys/fs/procfs/procfs_dbregs.c @@ -112,8 +112,10 @@ procfs_doprocdbregs(PFS_FILL_ARGS) return (EINVAL); } wrap32 = 1; - } + memset(&r32, 0, sizeof(r32)); + } else #endif + memset(&r, 0, sizeof(r)); error = PROC(read, dbregs, td2, &r); if (error == 0) { PROC_UNLOCK(p); diff --git a/sys/fs/procfs/procfs_fpregs.c b/sys/fs/procfs/procfs_fpregs.c index cf48dd170691..9675030df3c0 100644 --- a/sys/fs/procfs/procfs_fpregs.c +++ b/sys/fs/procfs/procfs_fpregs.c @@ -102,7 +102,6 @@ procfs_doprocfpregs(PFS_FILL_ARGS) return (EBUSY); } - /* XXXKSE: */ td2 = FIRST_THREAD_IN_PROC(p); #ifdef COMPAT_FREEBSD32 if (SV_CURPROC_FLAG(SV_ILP32)) { @@ -111,8 +110,10 @@ procfs_doprocfpregs(PFS_FILL_ARGS) return (EINVAL); } wrap32 = 1; - } + memset(&r32, 0, sizeof(r32)); + } else #endif + memset(&r, 0, sizeof(r)); error = PROC(read, fpregs, td2, &r); if (error == 0) { PROC_UNLOCK(p); diff --git a/sys/fs/procfs/procfs_regs.c b/sys/fs/procfs/procfs_regs.c index 60e0a3851101..032141a9e32e 100644 --- a/sys/fs/procfs/procfs_regs.c +++ b/sys/fs/procfs/procfs_regs.c @@ -102,7 +102,6 @@ procfs_doprocregs(PFS_FILL_ARGS) return (EBUSY); } - /* XXXKSE: */ td2 = FIRST_THREAD_IN_PROC(p); #ifdef COMPAT_FREEBSD32 if (SV_CURPROC_FLAG(SV_ILP32)) { @@ -111,8 +110,10 @@ procfs_doprocregs(PFS_FILL_ARGS) return (EINVAL); } wrap32 = 1; - } + memset(&r32, 0, sizeof(r32)); + } else #endif + memset(&r, 0, sizeof(r)); error = PROC(read, regs, td2, &r); if (error == 0) { PROC_UNLOCK(p); |