aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2017-11-15 22:39:41 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2017-11-15 22:39:41 +0000
commit76b971e02fc70584206e60beac7827b92846b9b8 (patch)
tree74b0b5b70985b03f9cddf780d5e6f6a8654c9968
parent0c89e922363bb5a3b4d3377bf2c4389b0fc1a318 (diff)
downloadsrc-76b971e02fc70584206e60beac7827b92846b9b8.tar.gz
src-76b971e02fc70584206e60beac7827b92846b9b8.zip
Fix kernel data leak via ptrace(PT_LWPINFO). [SA-17:08]
Approved by: so Security: FreeBSD-SA-17:08.ptrace Security: CVE-2017-1086
Notes
Notes: svn path=/releng/11.1/; revision=325868
-rw-r--r--sys/kern/sys_process.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index ded874ac9819..a8513c9fcdb3 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -518,6 +518,7 @@ ptrace_lwpinfo_to32(const struct ptrace_lwpinfo *pl,
struct ptrace_lwpinfo32 *pl32)
{
+ bzero(pl32, sizeof(*pl32));
pl32->pl_lwpid = pl->pl_lwpid;
pl32->pl_event = pl->pl_event;
pl32->pl_flags = pl->pl_flags;
@@ -1301,6 +1302,7 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
} else
#endif
pl = addr;
+ bzero(pl, sizeof(*pl));
pl->pl_lwpid = td2->td_tid;
pl->pl_event = PL_EVENT_NONE;
pl->pl_flags = 0;
@@ -1321,8 +1323,6 @@ kern_ptrace(struct thread *td, int req, pid_t pid, void *addr, int data)
pl->pl_siginfo = td2->td_dbgksi.ksi_info;
}
}
- if ((pl->pl_flags & PL_FLAG_SI) == 0)
- bzero(&pl->pl_siginfo, sizeof(pl->pl_siginfo));
if (td2->td_dbgflags & TDB_SCE)
pl->pl_flags |= PL_FLAG_SCE;
else if (td2->td_dbgflags & TDB_SCX)