aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2020-03-19 16:51:33 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2020-03-19 16:51:33 +0000
commitdd377685f2810780a397577c63e8236e9bd95e8c (patch)
tree49760d78681dfb336186caec0af3cf29f93111f2
parentfcfa8e1efd4ccee4a497806c4eed5c71d2071b4c (diff)
downloadsrc-dd377685f2810780a397577c63e8236e9bd95e8c.tar.gz
src-dd377685f2810780a397577c63e8236e9bd95e8c.zip
Fix kernel memory disclosure with nested jails.
Approved by: so Security: FreeBSD-SA-20:08.jail Security: CVE-2020-7453
Notes
Notes: svn path=/releng/12.1/; revision=359142
-rw-r--r--sys/kern/kern_jail.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 35564477f002..2cc4f54e6fa6 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -862,8 +862,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
"osrelease cannot be changed after creation");
goto done_errmsg;
}
- if (len == 0 || len >= OSRELEASELEN) {
+ if (len == 0 || osrelstr[len - 1] != '\0') {
error = EINVAL;
+ goto done_free;
+ }
+ if (len >= OSRELEASELEN) {
+ error = ENAMETOOLONG;
vfs_opterror(opts,
"osrelease string must be 1-%d bytes long",
OSRELEASELEN - 1);
@@ -1253,9 +1257,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
if (osrelstr == NULL)
- strcpy(pr->pr_osrelease, ppr->pr_osrelease);
+ strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
+ sizeof(pr->pr_osrelease));
else
- strcpy(pr->pr_osrelease, osrelstr);
+ strlcpy(pr->pr_osrelease, osrelstr,
+ sizeof(pr->pr_osrelease));
LIST_INIT(&pr->pr_children);
mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);