diff options
| author | Colin Percival <cperciva@FreeBSD.org> | 2004-12-01 21:35:57 +0000 |
|---|---|---|
| committer | Colin Percival <cperciva@FreeBSD.org> | 2004-12-01 21:35:57 +0000 |
| commit | ecd60a0359884f3a74ec1e0326de67f9ac118907 (patch) | |
| tree | a433ee04c022452ac584f97f49aaf93162f29000 | |
| parent | 841169669f763ae1f0c9e1fdee81105d80e17904 (diff) | |
Notes
| -rw-r--r-- | UPDATING | 5 | ||||
| -rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
| -rw-r--r-- | sys/miscfs/procfs/procfs_status.c | 17 |
3 files changed, 22 insertions, 2 deletions
@@ -17,6 +17,11 @@ minimal number of processes, if possible, for that patch. For those updates that don't have an advisory, or to be safe, you can do a full build and install as described in the COMMON ITEMS section. +20041201: p5 FreeBSD-SA-04:17.procfs + Fix a tainted pointer dereference in procfs(5) and linprocfs(5) + which could allow a local attacker to panic a system and/or read + from kernel memory. + 20041118: p26 FreeBSD-SA-04:16.fetch Correct a buffer overflow in fetch(1) which could allow a mallicious server to execute arbitrary code on the client. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 12447784b27b..b61a99cd7425 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -36,7 +36,7 @@ TYPE="FreeBSD" REVISION="4.8" -BRANCH="RELEASE-p26" +BRANCH="RELEASE-p27" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" diff --git a/sys/miscfs/procfs/procfs_status.c b/sys/miscfs/procfs/procfs_status.c index 370f23a6efb2..3e8dbc72f5ed 100644 --- a/sys/miscfs/procfs/procfs_status.c +++ b/sys/miscfs/procfs/procfs_status.c @@ -186,6 +186,7 @@ procfs_docmdline(curp, p, pfs, uio) char *buf, *bp; int buflen; struct ps_strings pstr; + char **ps_argvstr; int i; size_t bytes_left, done; @@ -223,9 +224,22 @@ procfs_docmdline(curp, p, pfs, uio) FREE(buf, M_TEMP); return (error); } + if (pstr.ps_nargvstr > ARG_MAX) { + FREE(buf, M_TEMP); + return (E2BIG); + } + MALLOC(ps_argvstr, char **, pstr.ps_nargvstr * sizeof(char *), + M_TEMP, M_WAITOK); + error = copyin((void *)pstr.ps_argvstr, ps_argvstr, + pstr.ps_nargvstr * sizeof(char *)); + if (error) { + FREE(ps_argvstr, M_TEMP); + FREE(buf, M_TEMP); + return (error); + } bytes_left = buflen; for (i = 0; bytes_left && (i < pstr.ps_nargvstr); i++) { - error = copyinstr(pstr.ps_argvstr[i], ps, + error = copyinstr(ps_argvstr[i], ps, bytes_left, &done); /* If too long or malformed, just truncate */ if (error) { @@ -236,6 +250,7 @@ procfs_docmdline(curp, p, pfs, uio) bytes_left -= done; } buflen = ps - buf; + FREE(ps_argvstr, M_TEMP); } error = uiomove_frombuf(bp, buflen, uio); |