summaryrefslogtreecommitdiff
path: root/sys/kern
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2020-07-08 21:05:43 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2020-07-08 21:05:43 +0000
commit8fc429301e9cd74ba786ee50ee09df3f5f4edae7 (patch)
tree9ec17e6a0f45f4ddb84dfaa384454c1e39d1e88a /sys/kern
parent2218b5fa4509aeaadb3469be2474f4ee602c682c (diff)
Info leaks in semctl SEM_GET, the pads (unknown old contents) and base (a
RW page within allocateable space) were leaked. report from adam@grimm-co ok millert
Diffstat (limited to 'sys/kern')
-rw-r--r--sys/kern/sysv_sem.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c
index f9dc776842b..8425888ccea 100644
--- a/sys/kern/sysv_sem.c
+++ b/sys/kern/sysv_sem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sysv_sem.c,v 1.58 2020/06/24 22:03:42 cheloha Exp $ */
+/* $OpenBSD: sysv_sem.c,v 1.59 2020/07/08 21:05:42 deraadt Exp $ */
/* $NetBSD: sysv_sem.c,v 1.26 1996/02/09 19:00:25 christos Exp $ */
/*
@@ -299,7 +299,9 @@ semctl1(struct proc *p, int semid, int semnum, int cmd, union semun *arg,
case IPC_STAT:
if ((error = ipcperm(cred, &semaptr->sem_perm, IPC_R)))
return (error);
- error = ds_copyout(semaptr, arg->buf, sizeof(struct semid_ds));
+ memcpy(&sbuf, semaptr, sizeof sbuf);
+ sbuf.sem_base = NULL;
+ error = ds_copyout(&sbuf, arg->buf, sizeof(struct semid_ds));
break;
case GETNCNT:
@@ -423,7 +425,7 @@ sys_semget(struct proc *p, void *v, register_t *retval)
nsems, seminfo.semmns - semtot));
return (ENOSPC);
}
- semaptr_new = pool_get(&sema_pool, PR_WAITOK);
+ semaptr_new = pool_get(&sema_pool, PR_WAITOK | PR_ZERO);
semaptr_new->sem_base = mallocarray(nsems, sizeof(struct sem),
M_SEM, M_WAITOK|M_ZERO);
}