aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2017-11-15 22:40:46 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2017-11-15 22:40:46 +0000
commitfc060baf2798512911ce49add0e87f2d957b45df (patch)
tree4a96644266c91a3524eee5a1050bec4dcbee0ce1
parent087a6afc1b17d5131fa3888d174902c8d4ac1c29 (diff)
downloadsrc-fc060baf2798512911ce49add0e87f2d957b45df.tar.gz
src-fc060baf2798512911ce49add0e87f2d957b45df.zip
Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08]
Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086
Notes
Notes: svn path=/releng/10.3/; revision=325871
-rw-r--r--sys/kern/sys_process.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index bbfe321d875b..418a6488e8bb 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -474,6 +474,7 @@ ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl,
struct ptrace_lwpinfo32 *pl32)
{
+ bzero(pl32, sizeof(*pl32));
pl32->pl_lwpid = pl->pl_lwpid;
pl32->pl_event = pl->pl_event;
pl32->pl_flags = pl->pl_flags;
@@ -1193,6 +1194,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
} else
#endif
pl = addr;
+ bzero(pl, sizeof(*pl));
pl->pl_lwpid = td2->td_tid;
pl->pl_event = PL_EVENT_NONE;
pl->pl_flags = 0;
@@ -1213,8 +1215,6 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
pl->pl_siginfo = td2->td_dbgksi.ksi_info;
}
}
- if ((pl->pl_flags & PL_FLAG_SI) == 0)
- bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo));
if (td2->td_dbgflags & TDB_SCE)
pl->pl_flags |= PL_FLAG_SCE;
else if (td2->td_dbgflags & TDB_SCX)