Date: Thu, 14 Jul 2011 00:48:37 GMT From: Guy Harris <guy@alum.mit.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/158880: bpf_filter() can leak kernel stack contents Message-ID: <201107140048.p6E0mbiT081959@red.freebsd.org> Resent-Message-ID: <201107140050.p6E0o8HI058613@freefall.freebsd.org>
index | next in thread | raw e-mail
>Number: 158880
>Category: kern
>Synopsis: bpf_filter() can leak kernel stack contents
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 14 00:50:08 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Guy Harris
>Release: Any
>Organization:
>Environment:
N/A (problem found by looking at OpenBSD's source repository)
>Description:
http://seclists.org/fulldisclosure/2010/Nov/89
That's Linux's BPF interpreter, but the same problem exists with the *BSD BPF interpreter:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf_filter.c.diff?r1=1.21;r2=1.22
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf_filter.c?rev=1.22;content-type=text%2Fx-cvsweb-markup
>How-To-Repeat:
A little more work, as BSD's BPF interpreter isn't supported on arbitrary sockets, just on BPF devices, but you could probably try to cook something interesting up.
>Fix:
Add a bzero() or memset(..., 0, ...) to zero out the men array early in bpf_filter().
>Release-Note:
>Audit-Trail:
>Unformatted:
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107140048.p6E0mbiT081959>