From bce7b617018c250761c47f5c3f108e921967f532 Mon Sep 17 00:00:00 2001
From: vangyzen <vangyzen@FreeBSD.org>
Date: Tue, 21 Mar 2017 01:24:56 +0000
Subject: MFC r315510

nanosleep: plug a kernel memory disclosure

nanosleep() updates rmtp on EINVAL.  In that case, kern_nanosleep()
has not updated rmt, so sys_nanosleep() updates the user-space rmtp
by copying garbage from its stack frame.  This is not only a kernel
memory disclosure, it's also not POSIX-compliant.  Fix it to update
rmtp only on EINTR.

Security:	possibly
Sponsored by:	Dell EMC
---
 sys/kern/kern_time.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sys/kern')

diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index 7f481b3..fb669a8 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -546,7 +546,7 @@ sys_nanosleep(struct thread *td, struct nanosleep_args *uap)
 	    !useracc((caddr_t)uap->rmtp, sizeof(rmt), VM_PROT_WRITE))
 			return (EFAULT);
 	error = kern_nanosleep(td, &rqt, &rmt);
-	if (error && uap->rmtp) {
+	if (error == EINTR && uap->rmtp) {
 		int error2;
 
 		error2 = copyout(&rmt, uap->rmtp, sizeof(rmt));
-- 
cgit v1.1