From owner-freebsd-bugs@FreeBSD.ORG Tue Dec 6 20:10:09 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0A8D1065672 for ; Tue, 6 Dec 2011 20:10:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 657C48FC0C for ; Tue, 6 Dec 2011 20:10:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pB6KA99s071078 for ; Tue, 6 Dec 2011 20:10:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pB6KA9AH071077; Tue, 6 Dec 2011 20:10:09 GMT (envelope-from gnats) Resent-Date: Tue, 6 Dec 2011 20:10:09 GMT Resent-Message-Id: <201112062010.pB6KA9AH071077@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Loganaden Velvindron Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0236A106564A for ; Tue, 6 Dec 2011 20:04:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id E72DB8FC19 for ; Tue, 6 Dec 2011 20:04:57 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id pB6K4u1b010408 for ; Tue, 6 Dec 2011 20:04:56 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id pB6K4uGY010407; Tue, 6 Dec 2011 20:04:56 GMT (envelope-from nobody) Message-Id: <201112062004.pB6K4uGY010407@red.freebsd.org> Date: Tue, 6 Dec 2011 20:04:56 GMT From: Loganaden Velvindron To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/163098: ktrace leak & fix X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2011 20:10:09 -0000 >Number: 163098 >Category: kern >Synopsis: ktrace leak & fix >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 06 20:10:09 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Loganaden Velvindron >Release: 8.2 >Organization: devio.us >Environment: >Description: djm@openbsd : The issue was that the syscall wrapper did not clear retval when an error occurs in the syscall itself. retval was being passed back to ktrace, and could leak some kernel stack (e.g. via ptrace PT_READ*). >How-To-Repeat: >Fix: Index: src/sys/kern/kern_ktrace.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_ktrace.c,v retrieving revision 1.130.2.2.4.1 diff -u -p -r1.130.2.2.4.1 kern_ktrace.c --- src/sys/kern/kern_ktrace.c 21 Dec 2010 17:09:25 -0000 1.130.2.2.4.1 +++ src/sys/kern/kern_ktrace.c 3 Dec 2011 19:22:13 -0000 @@ -426,7 +426,7 @@ ktrsysret(code, error, retval) ktp = &req->ktr_data.ktr_sysret; ktp->ktr_code = code; ktp->ktr_error = error; - ktp->ktr_retval = retval; /* what about val2 ? */ + ktp->ktr_retval = error == 0 ? retval: 0; /* what about val2 ? */ ktr_submitrequest(curthread, req); } >Release-Note: >Audit-Trail: >Unformatted: