nanosleep: plug a kernel memory disclosure
ClosedPublic
Actions

Authored by vangyzen on Mar 18 2017, 1:48 PM.

Details

Reviewers

jilles
dchagin

Commits

rS315510: nanosleep: plug a kernel memory disclosure

Summary

nanosleep() updates rmtp on EINVAL. In that case, kern_nanosleep()
has not updated rmt, so sys_nanosleep() updates the user-space rmtp
by copying garbage from its stack frame. This is a kernel memory
disclosure. It's also not POSIX-compliant. Fix it to update rmtp
only on EINTR.

I found this while working on D10020, and I made it public before
realizing the possible security implications.
The Security Officer suggested that I go ahead and commit the fix.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 8116
Build 8321: CI src build	Jenkins
Build 8320: arc lint + arc unit

Event Timeline

vangyzen created this revision.Mar 18 2017, 1:48 PM

Herald added subscribers: badger, imp. · View Herald TranscriptMar 18 2017, 1:48 PM

Thankfully, this is likely not a severe disclosure.

For linuxulator this does not make sense now as we check timespec values in linux_to_native_timespec before calling kern_nanosleep()

This revision is now accepted and ready to land.Mar 18 2017, 2:01 PM

Harbormaster completed remote builds in B8116: Diff 26386.Mar 18 2017, 2:32 PM

In D10044#207644, @dchagin wrote:

For linuxulator this does not make sense now as we check timespec values in linux_to_native_timespec before calling kern_nanosleep()

kern_nanosleep checks for negative nanoseconds, but I don't see where linux_to_native_timespec checks for that.

In D10044#207661, @vangyzen wrote:

In D10044#207644, @dchagin wrote:

For linuxulator this does not make sense now as we check timespec values in linux_to_native_timespec before calling kern_nanosleep()

kern_nanosleep checks for negative nanoseconds, but I don't see where linux_to_native_timespec checks for that.