Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Oct 2019 13:52:22 +0100
From:      Andrew Turner <andrew@freebsd.org>
To:        Alan Somers <asomers@freebsd.org>
Cc:        src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head <svn-src-head@freebsd.org>
Subject:   Re: svn commit: r353640 - head/sys/kern
Message-ID:  <1F97D894-2D71-45BB-AEA1-70CC1BA1D155@freebsd.org>
In-Reply-To: <CAOtMX2hfGrUtskf36H6r3kFu1JpjTs2yAU7rK5dRtAMp%2BXm=XQ@mail.gmail.com>
References:  <201910161321.x9GDL2ee021543@repo.freebsd.org> <CAOtMX2hfGrUtskf36H6r3kFu1JpjTs2yAU7rK5dRtAMp%2BXm=XQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


> On 22 Oct 2019, at 16:50, Alan Somers <asomers@freebsd.org =
<mailto:asomers@freebsd.org>> wrote:
>=20
> On Wed, Oct 16, 2019 at 7:21 AM Andrew Turner <andrew@freebsd.org =
<mailto:andrew@freebsd.org>> wrote:
> Author: andrew
> Date: Wed Oct 16 13:21:01 2019
> New Revision: 353640
> URL: https://svnweb.freebsd.org/changeset/base/353640 =
<https://svnweb.freebsd.org/changeset/base/353640>;
>=20
> Log:
>   Stop leaking information from the kernel through timespec
>=20
>   The timespec struct holds a seconds value in a time_t and a =
nanoseconds
>   value in a long. On most architectures these are the same size, =
however
>   on 32-bit architectures other than i386 time_t is 8 bytes and long =
is
>   4 bytes.
>=20
>   Most ABIs will then pad a struct holding an 8 byte and 4 byte value =
to
>   16 bytes with 4 bytes of padding. When copying one of these structs =
the
>   compiler is free to copy the padding if it wishes.
>=20
>   In this case the padding may contain kernel data that is then leaked =
to
>   userspace. Fix this by copying the timespec elements rather than the
>   entire struct.
>=20
>   This doesn't affect Tier-1 architectures so no SA is expected.
>=20
>   admbugs:      651
>   MFC after:    1 week
>   Sponsored by: DARPA, AFRL
>=20
> Good catch.  Might I ask how you found it, or who reported it?=20

I found it via one of the tests. It uses memcmp to check the struct =
returned was identical to what it expected. On closer inspection I found =
the difference was in the padding.

Andrew=20

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1F97D894-2D71-45BB-AEA1-70CC1BA1D155>