diff options
author | Mark Johnston <markj@FreeBSD.org> | 2018-11-24 17:02:31 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2018-11-24 17:02:31 +0000 |
commit | 36c4960ef829cf675aee22da292ea6002bd0d429 (patch) | |
tree | 895778c40836e7e2d5d3b8b936654017422451f2 /sys/kern/vfs_aio.c | |
parent | a2afae524a5e42f54cc75d1aca34c2650a8ad44a (diff) | |
download | src-36c4960ef829cf675aee22da292ea6002bd0d429.tar.gz src-36c4960ef829cf675aee22da292ea6002bd0d429.zip |
Plug some kernel memory disclosures via kevent(2).
The kernel may register for events on behalf of a userspace process,
in which case it must be careful to zero the kevent struct that will be
copied out to userspace.
Reviewed by: kib
MFC after: 3 days
Security: kernel stack memory disclosure
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18317
Notes
Notes:
svn path=/head/; revision=340899
Diffstat (limited to 'sys/kern/vfs_aio.c')
-rw-r--r-- | sys/kern/vfs_aio.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c index 69dd50cf7bdf..a8bce0ee2500 100644 --- a/sys/kern/vfs_aio.c +++ b/sys/kern/vfs_aio.c @@ -1589,6 +1589,7 @@ aio_aqueue(struct thread *td, struct aiocb *ujob, struct aioliojob *lj, goto aqueue_fail; } kqfd = job->uaiocb.aio_sigevent.sigev_notify_kqueue; + memset(&kev, 0, sizeof(kev)); kev.ident = (uintptr_t)job->ujob; kev.filter = EVFILT_AIO; kev.flags = EV_ADD | EV_ENABLE | EV_FLAG1 | evflags; @@ -2155,6 +2156,7 @@ kern_lio_listio(struct thread *td, int mode, struct aiocb * const *uacb_list, bcopy(sig, &lj->lioj_signal, sizeof(lj->lioj_signal)); if (lj->lioj_signal.sigev_notify == SIGEV_KEVENT) { /* Assume only new style KEVENT */ + memset(&kev, 0, sizeof(kev)); kev.filter = EVFILT_LIO; kev.flags = EV_ADD | EV_ENABLE | EV_FLAG1; kev.ident = (uintptr_t)uacb_list; /* something unique */ |