d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b316507576
freebsd-dev/sys/fs
History
Robert Watson be80264279 Properly bounds check ioctl/pioctl data arguments for Coda: 
1. Use unsigned rather than signed lengths
2. Bound messages to/from Venus to VC_MAXMSGSIZE
3. Bound messages to/from general user processes to VC_MAXDATASIZE
4. Update comment regarding data limits for pioctl

Without (1) and (3), it may be possible for unprivileged user processes to
read sensitive portions of kernel memory.  This issue is only present if
the Coda kernel module is loaded and venus (the userspace Coda daemon) is
running and has /coda mounted.

As Coda is considered experimental and production use is warned against in
the coda(4) man page, and because Coda must be explicitly configured for a
configuration to be vulnerable, we won't be issuing a security advisory.
However, if you are using Coda, then you are advised to apply these fixes.

Reported by:	Dan J. Rosenberg <drosenberg at vsecurity.com>
Obtained from:	NetBSD (Christos Zoulas)
Security:	Kernel memory disclosure; no advisory as feature experimental
MFC after:	3 days
2010-08-07 08:08:14 +00:00
..
cd9660 Revert the previous commit. The race is not applicable to the lockmgr 2010-07-16 19:52:03 +00:00
coda Properly bounds check ioctl/pioctl data arguments for Coda: 2010-08-07 08:08:14 +00:00
deadfs Add function vop_rename_fail(9) that performs needed cleanup for locks 2010-04-02 14:03:01 +00:00
devfs Enable shared lookups and externed shared ops for devfs. 2010-08-06 09:46:53 +00:00
ext2fs Move checking against RLIMIT_FSIZE into one place, vn_rlimit_fsize(). 2010-05-05 16:44:25 +00:00
fdescfs Fix a long standing regression of readdir(3) in fdescfs(5) introduced 2010-03-16 19:59:14 +00:00
fifofs - Improve comments about locking of the "struct fifoinfo" which is a bit 2009-11-06 22:29:46 +00:00
hpfs Remove the thread argument from the FSD (File-System Dependent) parts of 2009-05-11 15:33:26 +00:00
msdosfs Style fixes and removal of unneeded variable. 2010-05-06 18:43:19 +00:00
nfs Modify the return value for nfscl_mustflush() from boolean_t, 2010-08-03 01:49:28 +00:00
nfsclient Modify the return value for nfscl_mustflush() from boolean_t, 2010-08-03 01:49:28 +00:00
nfsserver Patch the experimental NFSv4 server so that it acquires a reference 2010-07-16 23:17:05 +00:00
ntfs Fix ntfs such that it understand media with a non-512-bytes sector size: 2009-12-07 15:15:08 +00:00
nullfs Disable bypass for the vop_advlockpurge(). The vop is called after 2010-05-16 05:00:29 +00:00
nwfs Eliminate unnecessary page queues locking. 2010-06-18 22:12:12 +00:00
portalfs Don't use ap->a_td->td_ucred when we were passed ap->a_cred. 2009-12-02 18:09:22 +00:00
procfs fix a few cases where a string is passed via format argument instead of 2010-06-11 19:27:21 +00:00
pseudofs The cache_enter(9) function shall not be called for doomed dvp. 2010-04-20 10:19:27 +00:00
smbfs Eliminate unnecessary page queues locking. 2010-06-18 22:12:12 +00:00
tmpfs Eliminate unnecessary page queues locking. 2010-06-16 00:41:21 +00:00
udf Revert the previous commit. The race is not applicable to the lockmgr 2010-07-16 19:52:03 +00:00
unionfs Fix build. 2010-07-18 07:55:22 +00:00