diff options
| author | glebius <glebius@FreeBSD.org> | 2016-01-14 10:13:58 +0000 |
|---|---|---|
| committer | glebius <glebius@FreeBSD.org> | 2016-01-14 10:13:58 +0000 |
| commit | d87c627c80b21d086df34f676a0b56c91ddb6b47 (patch) | |
| tree | 9d48b94cb8823f28687a449380ee744975864a66 /sys/compat | |
| parent | 51f55053b6565d2fe9b61f63460dddc23284a103 (diff) | |
| download | FreeBSD-src-d87c627c80b21d086df34f676a0b56c91ddb6b47.zip FreeBSD-src-d87c627c80b21d086df34f676a0b56c91ddb6b47.tar.gz | |
Change linux get_robust_list system call to match actual linux one.
The set_robust_list system call request the kernel to record the head
of the list of robust futexes owned by the calling thread. The head
argument is the list head to record.
The get_robust_list system call should return the head of the robust
list of the thread whose thread id is specified in pid argument.
The list head should be stored in the location pointed to by head
argument.
In contrast, our implemenattion of get_robust_list system call copies
the known portion of memory pointed by recorded in set_robust_list
system call pointer to the head of the robust list to the location
pointed by head argument.
So, it is possible for a local attacker to read portions of kernel
memory, which may result in a privilege escalation.
Submitted by: mjg
Security: SA-16:03.linux
Diffstat (limited to 'sys/compat')
| -rw-r--r-- | sys/compat/linux/linux_futex.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/compat/linux/linux_futex.c b/sys/compat/linux/linux_futex.c index db8ab2c..be7c8a0 100644 --- a/sys/compat/linux/linux_futex.c +++ b/sys/compat/linux/linux_futex.c @@ -1131,7 +1131,7 @@ linux_get_robust_list(struct thread *td, struct linux_get_robust_list_args *args return (EFAULT); } - error = copyout(head, args->head, sizeof(struct linux_robust_list_head)); + error = copyout(&head, args->head, sizeof(head)); if (error) { LIN_SDT_PROBE1(futex, linux_get_robust_list, copyout_error, error); |
