diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-07-08 21:05:43 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2020-07-08 21:05:43 +0000 |
commit | 8fc429301e9cd74ba786ee50ee09df3f5f4edae7 (patch) | |
tree | 9ec17e6a0f45f4ddb84dfaa384454c1e39d1e88a /sys/kern | |
parent | 2218b5fa4509aeaadb3469be2474f4ee602c682c (diff) |
Info leaks in semctl SEM_GET, the pads (unknown old contents) and base (a
RW page within allocateable space) were leaked. report from adam@grimm-co
ok millert
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/sysv_sem.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index f9dc776842b..8425888ccea 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sysv_sem.c,v 1.58 2020/06/24 22:03:42 cheloha Exp $ */ +/* $OpenBSD: sysv_sem.c,v 1.59 2020/07/08 21:05:42 deraadt Exp $ */ /* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */ /* @@ -299,7 +299,9 @@ semctl1(struct proc *p, int semid, int semnum, int cmd, union semun *arg, case IPC_STAT: if ((error = ipcperm(cred, &semaptr->sem_perm, IPC_R))) return (error); - error = ds_copyout(semaptr, arg->buf, sizeof(struct semid_ds)); + memcpy(&sbuf, semaptr, sizeof sbuf); + sbuf.sem_base = NULL; + error = ds_copyout(&sbuf, arg->buf, sizeof(struct semid_ds)); break; case GETNCNT: @@ -423,7 +425,7 @@ sys_semget(struct proc *p, void *v, register_t *retval) nsems, seminfo.semmns - semtot)); return (ENOSPC); } - semaptr_new = pool_get(&sema_pool, PR_WAITOK); + semaptr_new = pool_get(&sema_pool, PR_WAITOK | PR_ZERO); semaptr_new->sem_base = mallocarray(nsems, sizeof(struct sem), M_SEM, M_WAITOK|M_ZERO); } |