kern_jail: missing \0 termination check on osrelease parameter
If a user spplies a non-\0 terminated osrelease parameter reading it back may disclose kernel memory. This is a problem in case of nested jails (children.max > 0, which is not the default). Otherwise root outside the jail has access to kernel memory by other means and root inside a jail cannot create a child jail. Add the proper \0 check at the end of a supplied osrelease parameter and make sure any copies of the field will be \0-terminated. Submitted by: Hans Christian Woithe (chwoithe yahoo.com) MFC after: 3 days
This commit is contained in:
parent
ebe8cd79d2
commit
1b786d0191
@ -865,8 +865,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
|
||||
"osrelease cannot be changed after creation");
|
||||
goto done_errmsg;
|
||||
}
|
||||
if (len == 0 || len >= OSRELEASELEN) {
|
||||
if (len == 0 || osrelstr[len - 1] != '\0') {
|
||||
error = EINVAL;
|
||||
goto done_free;
|
||||
}
|
||||
if (len >= OSRELEASELEN) {
|
||||
error = ENAMETOOLONG;
|
||||
vfs_opterror(opts,
|
||||
"osrelease string must be 1-%d bytes long",
|
||||
OSRELEASELEN - 1);
|
||||
@ -1241,9 +1245,11 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
|
||||
|
||||
pr->pr_osreldate = osreldt ? osreldt : ppr->pr_osreldate;
|
||||
if (osrelstr == NULL)
|
||||
strcpy(pr->pr_osrelease, ppr->pr_osrelease);
|
||||
strlcpy(pr->pr_osrelease, ppr->pr_osrelease,
|
||||
sizeof(pr->pr_osrelease));
|
||||
else
|
||||
strcpy(pr->pr_osrelease, osrelstr);
|
||||
strlcpy(pr->pr_osrelease, osrelstr,
|
||||
sizeof(pr->pr_osrelease));
|
||||
|
||||
LIST_INIT(&pr->pr_children);
|
||||
mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF | MTX_DUPOK);
|
||||
|
Loading…
x
Reference in New Issue
Block a user