Date: Sun, 31 Jan 2021 09:35:31 -0800 From: Gordon Tetlow <gordon@tetlows.org> To: Andrea Venturoli <ml@netfence.it> Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-21:01.fsdisclosure Message-ID: <6260D94B-3CC6-48CB-AA5A-7438D1E39679@tetlows.org> In-Reply-To: <15879d07-6563-f762-c93c-cf91c9516ce7@netfence.it> References: <20210129022826.C82C91DB44@freefall.freebsd.org> <f32df288-0d05-0ece-52e5-042fe93d6940@quip.cz> <15879d07-6563-f762-c93c-cf91c9516ce7@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_6812AF18-FDEF-4873-84B1-591B10CB40AE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Jan 31, 2021, at 7:25 AM, Andrea Venturoli <ml@netfence.it> wrote: >=20 > On 1/31/21 12:29 PM, Miroslav Lachman wrote: >=20 >>> Several file systems were not properly initializing the d_off field = of >>> the dirent structures returned by VOP_READDIR. In particular, = tmpfs(5), >>> smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a = result, >>> eight uninitialized kernel stack bytes may be leaked to userspace by >>> these file systems. This problem is not present in FreeBSD 11. >> There is a Corrected in: stable/11, 11.4-STABLE and releng/11.4, = 11.4-RELEASE-p7, but later is a statement "This problem is not present = in FreeBSD 11". >> What is true? Is it fixed in newer patchlevel of FreeBSD 11.4 or it = was not present in 11.x at all? >=20 > My understanding is that the problem described in that paragraph does = not affect 11.x, but the next one does (and is "Corrected..."). >=20 > I.e. 11.x is affected by: >=20 >> Additionally, msdosfs(5) was failing to zero-fill a pair of padding >> fields in the dirent structure, resulting in a leak of three >> uninitialized bytes. >=20 >=20 > Is that right? This is correct. If you look at the patch cited for 11.x, it only has a = fix applied to msdosfs(5). Best regards, Gordon --Apple-Mail=_6812AF18-FDEF-4873-84B1-591B10CB40AE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEuyjUCzYO7pNq7RVv5fe8y6O93fgFAmAW6mMACgkQ5fe8y6O9 3fj9KwgAgaYtWdyqtjQSJsruj6TekcEqwS3nBOUcwrGB0dPOa4SnDgXoqBilx2Xc rl8iQ6dzasorsBreAyGiRkIEDXjGWqZmcqHYtsoUlRtWcGC6KdY6VIfM8xpJfrsA oHzOyaAgIsFsDfjCPFduPD5Y8zE5oYNth2C8bJv3mJ5+TtpzRMbEYGDY79juWhxz 8du0+9hA8y7skOfojRj6FVa03Ut1i7IdCPPs5pKvQHa45x5l+Fo/irnK8jIbV8LJ zGAqWLc4qgMQdPWFW1eM+1P0AGpCm8Qea79xNCKUubJfCPJmptZyU8rLFK+TDcan Qv6PkgJm8Kq3wLcBjlu2cTrDT/4jfw== =4yBm -----END PGP SIGNATURE----- --Apple-Mail=_6812AF18-FDEF-4873-84B1-591B10CB40AE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6260D94B-3CC6-48CB-AA5A-7438D1E39679>