[Midnightbsd-cvs] src [12262] trunk: System calls operating on file descriptors obtain a reference to
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Aug 22 18:47:42 EDT 2019
Revision: 12262
http://svnweb.midnightbsd.org/src/?rev=12262
Author: laffer1
Date: 2019-08-22 18:47:41 -0400 (Thu, 22 Aug 2019)
Log Message:
-----------
System calls operating on file descriptors obtain a reference to
relevant struct file which due to a programming error was not always put
back, which in turn could be used to overflow the counter of affected
struct file.
Modified Paths:
--------------
trunk/UPDATING
trunk/sys/kern/uipc_mqueue.c
Modified: trunk/UPDATING
===================================================================
--- trunk/UPDATING 2019-08-22 22:45:11 UTC (rev 12261)
+++ trunk/UPDATING 2019-08-22 22:47:41 UTC (rev 12262)
@@ -6,6 +6,11 @@
exploit races in the handler to cause it to copy out kernel memory
outside the boundaries of midistat's data buffer.
+ System calls operating on file descriptors obtain a reference to
+ relevant struct file which due to a programming error was not always put
+ back, which in turn could be used to overflow the counter of affected
+ struct file.
+
20190821:
Security patch for CVE-2019-5611.
Modified: trunk/sys/kern/uipc_mqueue.c
===================================================================
--- trunk/sys/kern/uipc_mqueue.c 2019-08-22 22:45:11 UTC (rev 12261)
+++ trunk/sys/kern/uipc_mqueue.c 2019-08-22 22:47:41 UTC (rev 12262)
@@ -2808,7 +2808,7 @@
if (uap->abs_timeout != NULL) {
error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
if (error != 0)
- return (error);
+ goto out;
CP(ets32, ets, tv_sec);
CP(ets32, ets, tv_nsec);
abs_timeout = &ets;
@@ -2817,6 +2817,7 @@
waitok = !(fp->f_flag & O_NONBLOCK);
error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
uap->msg_prio, waitok, abs_timeout);
+out:
fdrop(fp, td);
return (error);
}
More information about the Midnightbsd-cvs
mailing list