mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-20 15:43:16 +00:00
Plug some kernel memory disclosures via kevent(2).
The kernel may register for events on behalf of a userspace process, in which case it must be careful to zero the kevent struct that will be copied out to userspace. Reviewed by: kib MFC after: 3 days Security: kernel stack memory disclosure Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D18317
This commit is contained in:
parent
a2afae524a
commit
36c4960ef8
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=340899
@ -535,8 +535,9 @@ knote_fork(struct knlist *list, int pid)
|
|||||||
|
|
||||||
if (list == NULL)
|
if (list == NULL)
|
||||||
return;
|
return;
|
||||||
list->kl_lock(list->kl_lockarg);
|
|
||||||
|
|
||||||
|
memset(&kev, 0, sizeof(kev));
|
||||||
|
list->kl_lock(list->kl_lockarg);
|
||||||
SLIST_FOREACH(kn, &list->kl_list, kn_selnext) {
|
SLIST_FOREACH(kn, &list->kl_list, kn_selnext) {
|
||||||
kq = kn->kn_kq;
|
kq = kn->kn_kq;
|
||||||
KQ_LOCK(kq);
|
KQ_LOCK(kq);
|
||||||
|
@ -1589,6 +1589,7 @@ aio_aqueue(struct thread *td, struct aiocb *ujob, struct aioliojob *lj,
|
|||||||
goto aqueue_fail;
|
goto aqueue_fail;
|
||||||
}
|
}
|
||||||
kqfd = job->uaiocb.aio_sigevent.sigev_notify_kqueue;
|
kqfd = job->uaiocb.aio_sigevent.sigev_notify_kqueue;
|
||||||
|
memset(&kev, 0, sizeof(kev));
|
||||||
kev.ident = (uintptr_t)job->ujob;
|
kev.ident = (uintptr_t)job->ujob;
|
||||||
kev.filter = EVFILT_AIO;
|
kev.filter = EVFILT_AIO;
|
||||||
kev.flags = EV_ADD | EV_ENABLE | EV_FLAG1 | evflags;
|
kev.flags = EV_ADD | EV_ENABLE | EV_FLAG1 | evflags;
|
||||||
@ -2155,6 +2156,7 @@ kern_lio_listio(struct thread *td, int mode, struct aiocb * const *uacb_list,
|
|||||||
bcopy(sig, &lj->lioj_signal, sizeof(lj->lioj_signal));
|
bcopy(sig, &lj->lioj_signal, sizeof(lj->lioj_signal));
|
||||||
if (lj->lioj_signal.sigev_notify == SIGEV_KEVENT) {
|
if (lj->lioj_signal.sigev_notify == SIGEV_KEVENT) {
|
||||||
/* Assume only new style KEVENT */
|
/* Assume only new style KEVENT */
|
||||||
|
memset(&kev, 0, sizeof(kev));
|
||||||
kev.filter = EVFILT_LIO;
|
kev.filter = EVFILT_LIO;
|
||||||
kev.flags = EV_ADD | EV_ENABLE | EV_FLAG1;
|
kev.flags = EV_ADD | EV_ENABLE | EV_FLAG1;
|
||||||
kev.ident = (uintptr_t)uacb_list; /* something unique */
|
kev.ident = (uintptr_t)uacb_list; /* something unique */
|
||||||
|
Loading…
Reference in New Issue
Block a user