diff options
| author | vangyzen <vangyzen@FreeBSD.org> | 2017-03-21 01:24:56 +0000 |
|---|---|---|
| committer | vangyzen <vangyzen@FreeBSD.org> | 2017-03-21 01:24:56 +0000 |
| commit | bce7b617018c250761c47f5c3f108e921967f532 (patch) | |
| tree | 38045c69fcc87f27332a5d18235a9c269d297727 /sys/kern | |
| parent | a6db9e5e83494f5602591a3e37979bac624d7d31 (diff) | |
| download | FreeBSD-src-bce7b617018c250761c47f5c3f108e921967f532.zip FreeBSD-src-bce7b617018c250761c47f5c3f108e921967f532.tar.gz | |
MFC r315510
nanosleep: plug a kernel memory disclosure
nanosleep() updates rmtp on EINVAL. In that case, kern_nanosleep()
has not updated rmt, so sys_nanosleep() updates the user-space rmtp
by copying garbage from its stack frame. This is not only a kernel
memory disclosure, it's also not POSIX-compliant. Fix it to update
rmtp only on EINTR.
Security: possibly
Sponsored by: Dell EMC
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/kern_time.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 7f481b3..fb669a8 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -546,7 +546,7 @@ sys_nanosleep(struct thread *td, struct nanosleep_args *uap) !useracc((caddr_t)uap->rmtp, sizeof(rmt), VM_PROT_WRITE)) return (EFAULT); error = kern_nanosleep(td, &rqt, &rmt); - if (error && uap->rmtp) { + if (error == EINTR && uap->rmtp) { int error2; error2 = copyout(&rmt, uap->rmtp, sizeof(rmt)); |
