Date: Thu, 13 Jun 2019 14:52:24 +0800 From: Fuqian Huang <huangfq.daxian@gmail.com> To: freebsd-hackers@freebsd.org Subject: dev:md: A kernel address leakage in sys/dev/md/md.c Message-ID: <CABXRUiSGuH-dLX3mJhmMTfm4qs%2BYsnCTimQkh=uxuaA8=U0Xcg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
In freebsd/sys/dev/md/md.c if the kernel is created with option MD_ROOT, g_md_init will call md_preload and use mfs_root as the image. In function md_preload, address of image will be printed out, in this case, the address of image is the address of a global object mfs_root. A kernel address leakage happens. Patch suggestion: use macro like #ifdef DEBUG to wrap the printf statement. u_char mfs_root[MD_ROOT_SIZE*1024] __attribute__ ((section("oldmfs"))); static void g_md_init(struct g_class *mp __unused) { ... #ifdef MD_ROOT ... #ifdef MD_ROOT_MEM md_preload(mfs_root, mfs_root_size, NULL); #else md_preload(__DEVOLATILE(u_char *, &mfs_root), mfs_root_size, NULL); #endif ... #endif } static void md_preload(u_char *image, size_t length, const char *name) { ... if (name != NULL) { printf("%s%d: Preloaded image <%s> %zd bytes at %p\n", MD_NAME, sc->unit, name, length, image); } else { printf("%s%d: Embedded image %zd bytes at %p\n", MD_NAME, sc->unit, length, image); } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXRUiSGuH-dLX3mJhmMTfm4qs%2BYsnCTimQkh=uxuaA8=U0Xcg>