Page MenuHomeFreeBSD

nanosleep: plug a kernel memory disclosure
ClosedPublic

Authored by vangyzen on Mar 18 2017, 1:48 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Oct 6, 1:21 PM
Unknown Object (File)
Fri, Oct 3, 5:06 PM
Unknown Object (File)
Fri, Oct 3, 4:50 PM
Unknown Object (File)
Sun, Sep 28, 7:21 AM
Unknown Object (File)
Thu, Sep 18, 8:45 AM
Unknown Object (File)
Aug 25 2025, 9:44 AM
Unknown Object (File)
Aug 25 2025, 12:33 AM
Unknown Object (File)
Jul 29 2025, 2:00 AM
Subscribers

Details

Summary

nanosleep() updates rmtp on EINVAL. In that case, kern_nanosleep()
has not updated rmt, so sys_nanosleep() updates the user-space rmtp
by copying garbage from its stack frame. This is a kernel memory
disclosure. It's also not POSIX-compliant. Fix it to update rmtp
only on EINTR.

I found this while working on D10020, and I made it public before
realizing the possible security implications.
The Security Officer suggested that I go ahead and commit the fix.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Thankfully, this is likely not a severe disclosure.

For linuxulator this does not make sense now as we check timespec values in linux_to_native_timespec before calling kern_nanosleep()

This revision is now accepted and ready to land.Mar 18 2017, 2:01 PM

For linuxulator this does not make sense now as we check timespec values in linux_to_native_timespec before calling kern_nanosleep()

kern_nanosleep checks for negative nanoseconds, but I don't see where linux_to_native_timespec checks for that.

For linuxulator this does not make sense now as we check timespec values in linux_to_native_timespec before calling kern_nanosleep()

kern_nanosleep checks for negative nanoseconds, but I don't see where linux_to_native_timespec checks for that.

yes, this is error, linux timespec_valid() function casts tv_usec to unsigned before comparison. I'll fix

This revision was automatically updated to reflect the committed changes.