855acb84ca
Use the sysctl_handle_int() handler to write out the old value and read the new value into a temporary variable. Use the temporary variable for any checks of values rather than using the CAST_PTR_INT() macro on req->newptr. The prior usage read directly from userspace memory if the sysctl() was called correctly. This is unsafe and doesn't work at all on some architectures (at least i386.) In some cases, the code could also be tricked into reading from kernel memory and leaking limited information about the contents or crashing the system. This was true for CDG, newreno, and siftr on all platforms and true for i386 in all cases. The impact of this bug is largest in VIMAGE jails which have been configured to allow writing to these sysctls. Per discussion with the security officer, we will not be issuing an advisory for this issue as root access and a non-default config are required to be impacted. Reviewed by: markj, bz Discussed with: gordon (security officer) MFC after: 3 days Security: kernel information leak, local DoS (both require root) Differential Revision: https://reviews.freebsd.org/D18443 |
||
|---|---|---|
| .. | ||
| cc_cdg.c | ||
| cc_chd.c | ||
| cc_cubic.c | ||
| cc_cubic.h | ||
| cc_dctcp.c | ||
| cc_hd.c | ||
| cc_htcp.c | ||
| cc_module.h | ||
| cc_newreno.c | ||
| cc_newreno.h | ||
| cc_vegas.c | ||
| cc.c | ||
| cc.h | ||