diff options
| author | Eric van Gyzen <vangyzen@FreeBSD.org> | 2018-11-26 20:52:53 +0000 |
|---|---|---|
| committer | Eric van Gyzen <vangyzen@FreeBSD.org> | 2018-11-26 20:52:53 +0000 |
| commit | 4d5a1084097c999da329687b8f5c8bca2cc2a1fc (patch) | |
| tree | 22c1eb9780d674803feafd5527e98eba337ee54c /sys/riscv | |
| parent | f5e7d8bdb51ec52b3530c85f42bb7aff8a495330 (diff) | |
| download | src-4d5a1084097c999da329687b8f5c8bca2cc2a1fc.tar.gz src-4d5a1084097c999da329687b8f5c8bca2cc2a1fc.zip | |
Prevent kernel stack disclosure in signal delivery
On arm64 and riscv platforms, sendsig() failed to zero the signal
frame before copying it out to userspace. Zero it.
On arm, I believe all the contents of the frame were initialized,
so there was no disclosure. However, explicitly zero the whole frame
because that fact could inadvertently change in the future,
it's more clear to the reader, and I could be wrong in the first place.
MFC after: 2 days
Security: similar to FreeBSD-EN-18:12.mem and CVE-2018-17155
Sponsored by: Dell EMC Isilon
Notes
Notes:
svn path=/head/; revision=340995
Diffstat (limited to 'sys/riscv')
| -rw-r--r-- | sys/riscv/riscv/machdep.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/riscv/riscv/machdep.c b/sys/riscv/riscv/machdep.c index 0735ec034603..c1fc921d90cd 100644 --- a/sys/riscv/riscv/machdep.c +++ b/sys/riscv/riscv/machdep.c @@ -582,6 +582,7 @@ sendsig(sig_t catcher, ksiginfo_t *ksi, sigset_t *mask) fp = (struct sigframe *)STACKALIGN(fp); /* Fill in the frame to copy out */ + bzero(&frame, sizeof(frame)); get_mcontext(td, &frame.sf_uc.uc_mcontext, 0); get_fpcontext(td, &frame.sf_uc.uc_mcontext); frame.sf_si = ksi->ksi_info; |