Info leaks in semctl SEM_GET, the pads (unknown old contents) and base (a

RW page within allocateable space) were leaked.  report from adam@grimm-co
ok millert

1 files changed, 5 insertions, 3 deletions

diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c
index f9dc776842b..8425888ccea 100644
--- a/sys/kern/sysv_sem.c
+++ b/sys/kern/sysv_sem.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sysv_sem.c,v 1.58 2020/06/24 22:03:42 cheloha Exp $	*/
+/*	$OpenBSD: sysv_sem.c,v 1.59 2020/07/08 21:05:42 deraadt Exp $	*/
 /*	$NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $	*/
 
 /*
@@ -299,7 +299,9 @@ semctl1(struct proc *p, int semid, int semnum, int cmd, union semun *arg,
 	case IPC_STAT:
 		if ((error = ipcperm(cred, &semaptr->sem_perm, IPC_R)))
 			return (error);
-		error = ds_copyout(semaptr, arg->buf, sizeof(struct semid_ds));
+		memcpy(&sbuf, semaptr, sizeof sbuf);
+		sbuf.sem_base = NULL;
+		error = ds_copyout(&sbuf, arg->buf, sizeof(struct semid_ds));
 		break;
 
 	case GETNCNT:
@@ -423,7 +425,7 @@ sys_semget(struct proc *p, void *v, register_t *retval)
 			    nsems, seminfo.semmns - semtot));
 			return (ENOSPC);
 		}
-		semaptr_new = pool_get(&sema_pool, PR_WAITOK);
+		semaptr_new = pool_get(&sema_pool, PR_WAITOK | PR_ZERO);
 		semaptr_new->sem_base = mallocarray(nsems, sizeof(struct sem),
 		    M_SEM, M_WAITOK|M_ZERO);
 	}