CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Gleb Smirnoff <glebius@FreeBSD.org>
	Thu, 14 Jan 2016 10:13:58 +0000 (10:13 +0000)
committer	Gleb Smirnoff <glebius@FreeBSD.org>
	Thu, 14 Jan 2016 10:13:58 +0000 (10:13 +0000)
commit	037f750877f04f57a316f597f2e0176fa1e19aab
tree	9d48b94cb8823f28687a449380ee744975864a66	tree \| snapshot
parent	479795819a80a3d669f5f36903e3bbf418768f0a	commit \| diff

Change linux get_robust_list system call to match actual linux one.

The set_robust_list system call request the kernel to record the head
of the list of robust futexes owned by the calling thread. The head
argument is the list head to record.
The get_robust_list system call should return the head of the robust
list of the thread whose thread id is specified in pid argument.
The list head should be stored in the location pointed to by head
argument.

In contrast, our implemenattion of get_robust_list system call copies
the known portion of memory pointed by recorded in set_robust_list
system call pointer to the head of the robust list to the location
pointed by head argument.

So, it is possible for a local attacker to read portions of kernel
memory, which may result in a privilege escalation.

Submitted by: mjg
Security: SA-16:03.linux

sys/amd64/linux/syscalls.master		diff \| blob \| history
sys/amd64/linux32/syscalls.master		diff \| blob \| history
sys/compat/linux/linux_futex.c		diff \| blob \| history
sys/i386/linux/syscalls.master		diff \| blob \| history