From 464b9e490f2a1ac3e43c1dd16ffd344d9bbc61e0 Mon Sep 17 00:00:00 2001 From: deraadt Date: Wed, 8 Jul 2020 21:05:42 +0000 Subject: Info leaks in semctl SEM_GET, the pads (unknown old contents) and base (a RW page within allocateable space) were leaked. report from adam@grimm-co ok millert --- sys/kern/sysv_sem.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'sys') diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index f9dc776842b..8425888ccea 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysv_sem.c,v 1.58 2020/06/24 22:03:42 cheloha Exp $ */ +/* $OpenBSD: sysv_sem.c,v 1.59 2020/07/08 21:05:42 deraadt Exp $ */ /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */ /* @@ -299,7 +299,9 @@ semctl1(struct proc *p, int semid, int semnum, int cmd, union semun *arg, case IPC_STAT: if ((error = ipcperm(cred, &semaptr->sem_perm, IPC_R))) return (error); - error = ds_copyout(semaptr, arg->buf, sizeof(struct semid_ds)); + memcpy(&sbuf, semaptr, sizeof sbuf); + sbuf.sem_base = NULL; + error = ds_copyout(&sbuf, arg->buf, sizeof(struct semid_ds)); break; case GETNCNT: @@ -423,7 +425,7 @@ sys_semget(struct proc *p, void *v, register_t *retval) nsems, seminfo.semmns - semtot)); return (ENOSPC); } - semaptr_new = pool_get(&sema_pool, PR_WAITOK); + semaptr_new = pool_get(&sema_pool, PR_WAITOK | PR_ZERO); semaptr_new->sem_base = mallocarray(nsems, sizeof(struct sem), M_SEM, M_WAITOK|M_ZERO); } -- cgit v1.2.3-59-g8ed1b