diff options
author | deraadt <deraadt@openbsd.org> | 2020-07-08 21:05:42 +0000 |
---|---|---|
committer | deraadt <deraadt@openbsd.org> | 2020-07-08 21:05:42 +0000 |
commit | 464b9e490f2a1ac3e43c1dd16ffd344d9bbc61e0 (patch) | |
tree | f10cfb344f788e73d23cf8a3e181e50cd4b995c5 /sys | |
parent | Handle a few more Hypervisor traps. (diff) | |
download | wireguard-openbsd-464b9e490f2a1ac3e43c1dd16ffd344d9bbc61e0.tar.xz wireguard-openbsd-464b9e490f2a1ac3e43c1dd16ffd344d9bbc61e0.zip |
Info leaks in semctl SEM_GET, the pads (unknown old contents) and base (a
RW page within allocateable space) were leaked. report from adam@grimm-co
ok millert
Diffstat (limited to 'sys')
-rw-r--r-- | sys/kern/sysv_sem.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index f9dc776842b..8425888ccea 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysv_sem.c,v 1.58 2020/06/24 22:03:42 cheloha Exp $ */ +/* $OpenBSD: sysv_sem.c,v 1.59 2020/07/08 21:05:42 deraadt Exp $ */ /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */ /* @@ -299,7 +299,9 @@ semctl1(struct proc *p, int semid, int semnum, int cmd, union semun *arg, case IPC_STAT: if ((error = ipcperm(cred, &semaptr->sem_perm, IPC_R))) return (error); - error = ds_copyout(semaptr, arg->buf, sizeof(struct semid_ds)); + memcpy(&sbuf, semaptr, sizeof sbuf); + sbuf.sem_base = NULL; + error = ds_copyout(&sbuf, arg->buf, sizeof(struct semid_ds)); break; case GETNCNT: @@ -423,7 +425,7 @@ sys_semget(struct proc *p, void *v, register_t *retval) nsems, seminfo.semmns - semtot)); return (ENOSPC); } - semaptr_new = pool_get(&sema_pool, PR_WAITOK); + semaptr_new = pool_get(&sema_pool, PR_WAITOK | PR_ZERO); semaptr_new->sem_base = mallocarray(nsems, sizeof(struct sem), M_SEM, M_WAITOK|M_ZERO); } |