[Midnightbsd-cvs] src [7425] trunk/sys: fix two security issues in the linuxolator.

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Thu Jan 14 19:02:08 EST 2016 

Revision: 7425
          http://svnweb.midnightbsd.org/src/?rev=7425
Author:   laffer1
Date:     2016-01-14 19:02:07 -0500 (Thu, 14 Jan 2016)
Log Message:
-----------
fix two security issues in the linuxolator.  Obtained from: FreeBSD

Modified Paths:
--------------
    trunk/sys/amd64/linux32/linux32_proto.h
    trunk/sys/amd64/linux32/linux32_systrace_args.c
    trunk/sys/amd64/linux32/syscalls.master
    trunk/sys/compat/linux/linux_futex.c
    trunk/sys/compat/linux/linux_misc.c
    trunk/sys/i386/linux/syscalls.master
    trunk/sys/kern/kern_prot.c
    trunk/sys/sys/ucred.h

Property Changed:
----------------
    trunk/sys/compat/linux/linux_emul.c
    trunk/sys/compat/linux/linux_emul.h
    trunk/sys/compat/linux/linux_file.h
    trunk/sys/compat/linux/linux_fork.c
    trunk/sys/compat/linux/linux_futex.c
    trunk/sys/compat/linux/linux_misc.c

Modified: trunk/sys/amd64/linux32/linux32_proto.h
===================================================================
--- trunk/sys/amd64/linux32/linux32_proto.h	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/amd64/linux32/linux32_proto.h	2016-01-15 00:02:07 UTC (rev 7425)
@@ -986,7 +986,7 @@
 };
 struct linux_get_robust_list_args {
 	char pid_l_[PADL_(l_int)]; l_int pid; char pid_r_[PADR_(l_int)];
-	char head_l_[PADL_(struct linux_robust_list_head *)]; struct linux_robust_list_head * head; char head_r_[PADR_(struct linux_robust_list_head *)];
+	char head_l_[PADL_(struct linux_robust_list_head **)]; struct linux_robust_list_head ** head; char head_r_[PADR_(struct linux_robust_list_head **)];
 	char len_l_[PADL_(l_size_t *)]; l_size_t * len; char len_r_[PADR_(l_size_t *)];
 };
 struct linux_splice_args {

Modified: trunk/sys/amd64/linux32/linux32_systrace_args.c
===================================================================
--- trunk/sys/amd64/linux32/linux32_systrace_args.c	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/amd64/linux32/linux32_systrace_args.c	2016-01-15 00:02:07 UTC (rev 7425)
@@ -2074,7 +2074,7 @@
 	case 312: {
 		struct linux_get_robust_list_args *p = params;
 		iarg[0] = p->pid; /* l_int */
-		uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head * */
+		uarg[1] = (intptr_t) p->head; /* struct linux_robust_list_head ** */
 		uarg[2] = (intptr_t) p->len; /* l_size_t * */
 		*n_args = 3;
 		break;
@@ -5299,7 +5299,7 @@
 			p = "l_int";
 			break;
 		case 1:
-			p = "struct linux_robust_list_head *";
+			p = "struct linux_robust_list_head **";
 			break;
 		case 2:
 			p = "l_size_t *";

Modified: trunk/sys/amd64/linux32/syscalls.master
===================================================================
--- trunk/sys/amd64/linux32/syscalls.master	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/amd64/linux32/syscalls.master	2016-01-15 00:02:07 UTC (rev 7425)
@@ -510,8 +510,8 @@
 ; linux 2.6.17:
 311	AUE_NULL	STD	{ int linux_set_robust_list(struct linux_robust_list_head *head, \
 					l_size_t len); }
-312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, struct linux_robust_list_head *head, \
-					l_size_t *len); }
+312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, \
+				    struct linux_robust_list_head **head, l_size_t *len); }
 313	AUE_NULL	STD	{ int linux_splice(void); }
 314	AUE_NULL	STD	{ int linux_sync_file_range(void); }
 315	AUE_NULL	STD	{ int linux_tee(void); }

Index: trunk/sys/compat/linux/linux_emul.c
===================================================================
--- trunk/sys/compat/linux/linux_emul.c	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/compat/linux/linux_emul.c	2016-01-15 00:02:07 UTC (rev 7425)

Property changes on: trunk/sys/compat/linux/linux_emul.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.4
\ No newline at end of property
Index: trunk/sys/compat/linux/linux_emul.h
===================================================================
--- trunk/sys/compat/linux/linux_emul.h	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/compat/linux/linux_emul.h	2016-01-15 00:02:07 UTC (rev 7425)

Property changes on: trunk/sys/compat/linux/linux_emul.h
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.4
\ No newline at end of property
Index: trunk/sys/compat/linux/linux_file.h
===================================================================
--- trunk/sys/compat/linux/linux_file.h	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/compat/linux/linux_file.h	2016-01-15 00:02:07 UTC (rev 7425)

Property changes on: trunk/sys/compat/linux/linux_file.h
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.2
\ No newline at end of property
Index: trunk/sys/compat/linux/linux_fork.c
===================================================================
--- trunk/sys/compat/linux/linux_fork.c	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/compat/linux/linux_fork.c	2016-01-15 00:02:07 UTC (rev 7425)

Property changes on: trunk/sys/compat/linux/linux_fork.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.2
\ No newline at end of property
Modified: trunk/sys/compat/linux/linux_futex.c
===================================================================
--- trunk/sys/compat/linux/linux_futex.c	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/compat/linux/linux_futex.c	2016-01-15 00:02:07 UTC (rev 7425)
@@ -783,7 +783,7 @@
 	if (error)
 		return (EFAULT);
 
-	error = copyout(head, args->head, sizeof(struct linux_robust_list_head));
+	error = copyout(&head, args->head, sizeof(head));
 
 	return (error);
 }


Property changes on: trunk/sys/compat/linux/linux_futex.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.9
\ No newline at end of property
Modified: trunk/sys/compat/linux/linux_misc.c
===================================================================
--- trunk/sys/compat/linux/linux_misc.c	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/compat/linux/linux_misc.c	2016-01-15 00:02:07 UTC (rev 7425)
@@ -1095,9 +1095,11 @@
 	if (error)
 		goto out;
 	newcred = crget();
+	crextend(newcred, ngrp + 1);
 	p = td->td_proc;
 	PROC_LOCK(p);
-	oldcred = crcopysafe(p, newcred);
+	oldcred = p->p_ucred;
+	crcopy(newcred, oldcred);
 
 	/*
 	 * cr_groups[0] holds egid. Setting the whole set from


Property changes on: trunk/sys/compat/linux/linux_misc.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.5
\ No newline at end of property
Modified: trunk/sys/i386/linux/syscalls.master
===================================================================
--- trunk/sys/i386/linux/syscalls.master	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/i386/linux/syscalls.master	2016-01-15 00:02:07 UTC (rev 7425)
@@ -520,8 +520,8 @@
 ; linux 2.6.17:
 311	AUE_NULL	STD	{ int linux_set_robust_list(struct linux_robust_list_head *head, \
 					l_size_t len); }
-312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, struct linux_robust_list_head **head, \
-					l_size_t *len); }
+312	AUE_NULL	STD	{ int linux_get_robust_list(l_int pid, \
+				    struct linux_robust_list_head **head, l_size_t *len); }
 313	AUE_NULL	STD	{ int linux_splice(void); }
 314	AUE_NULL	STD	{ int linux_sync_file_range(void); }
 315	AUE_NULL	STD	{ int linux_tee(void); }

Modified: trunk/sys/kern/kern_prot.c
===================================================================
--- trunk/sys/kern/kern_prot.c	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/kern/kern_prot.c	2016-01-15 00:02:07 UTC (rev 7425)
@@ -88,7 +88,6 @@
 
 SYSCTL_NODE(_security, OID_AUTO, bsd, CTLFLAG_RW, 0, "BSD security policy");
 
-static void crextend(struct ucred *cr, int n);
 static void crsetgroups_locked(struct ucred *cr, int ngrp,
     gid_t *groups);
 
@@ -1974,7 +1973,7 @@
 /*
  * Extend the passed in credential to hold n items.
  */
-static void
+void
 crextend(struct ucred *cr, int n)
 {
 	int cnt;

Modified: trunk/sys/sys/ucred.h
===================================================================
--- trunk/sys/sys/ucred.h	2016-01-14 13:45:37 UTC (rev 7424)
+++ trunk/sys/sys/ucred.h	2016-01-15 00:02:07 UTC (rev 7425)
@@ -104,6 +104,7 @@
 void	crcopy(struct ucred *dest, struct ucred *src);
 struct ucred	*crcopysafe(struct proc *p, struct ucred *cr);
 struct ucred	*crdup(struct ucred *cr);
+void	crextend(struct ucred *cr, int n);
 void	cred_update_thread(struct thread *td);
 void	crfree(struct ucred *cr);
 struct ucred	*crget(void);

More information about the Midnightbsd-cvs mailing list