diff options
author | vangyzen <vangyzen@FreeBSD.org> | 2017-03-21 01:24:56 +0000 |
---|---|---|
committer | vangyzen <vangyzen@FreeBSD.org> | 2017-03-21 01:24:56 +0000 |
commit | bce7b617018c250761c47f5c3f108e921967f532 (patch) | |
tree | 38045c69fcc87f27332a5d18235a9c269d297727 /sys/kern | |
parent | a6db9e5e83494f5602591a3e37979bac624d7d31 (diff) | |
download | FreeBSD-src-bce7b617018c250761c47f5c3f108e921967f532.zip FreeBSD-src-bce7b617018c250761c47f5c3f108e921967f532.tar.gz |
MFC r315510
nanosleep: plug a kernel memory disclosure
nanosleep() updates rmtp on EINVAL. In that case, kern_nanosleep()
has not updated rmt, so sys_nanosleep() updates the user-space rmtp
by copying garbage from its stack frame. This is not only a kernel
memory disclosure, it's also not POSIX-compliant. Fix it to update
rmtp only on EINTR.
Security: possibly
Sponsored by: Dell EMC
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_time.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 7f481b3..fb669a8 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -546,7 +546,7 @@ sys_nanosleep(struct thread *td, struct nanosleep_args *uap) !useracc((caddr_t)uap->rmtp, sizeof(rmt), VM_PROT_WRITE)) return (EFAULT); error = kern_nanosleep(td, &rqt, &rmt); - if (error && uap->rmtp) { + if (error == EINTR && uap->rmtp) { int error2; error2 = copyout(&rmt, uap->rmtp, sizeof(rmt)); |