From owner-svn-src-all@freebsd.org Wed Oct 23 12:52:29 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9AF81151B91; Wed, 23 Oct 2019 12:52:29 +0000 (UTC) (envelope-from andrew@freebsd.org) Received: from fry.fubar.geek.nz (fry.fubar.geek.nz [139.59.165.16]) by mx1.freebsd.org (Postfix) with ESMTP id 46yqz13KzFz454K; Wed, 23 Oct 2019 12:52:29 +0000 (UTC) (envelope-from andrew@freebsd.org) Received: from [IPv6:2001:630:212:2a8:bc33:6e81:8b9:7f62] (unknown [IPv6:2001:630:212:2a8:bc33:6e81:8b9:7f62]) by fry.fubar.geek.nz (Postfix) with ESMTPSA id 75FF94ECB4; Wed, 23 Oct 2019 12:52:22 +0000 (UTC) From: Andrew Turner Message-Id: <1F97D894-2D71-45BB-AEA1-70CC1BA1D155@freebsd.org> Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\)) Subject: Re: svn commit: r353640 - head/sys/kern Date: Wed, 23 Oct 2019 13:52:22 +0100 In-Reply-To: Cc: src-committers , svn-src-all , svn-src-head To: Alan Somers References: <201910161321.x9GDL2ee021543@repo.freebsd.org> X-Mailer: Apple Mail (2.3445.104.11) X-Rspamd-Queue-Id: 46yqz13KzFz454K X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-5.99 / 15.00]; NEURAL_HAM_MEDIUM(-0.99)[-0.993,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Oct 2019 12:52:29 -0000 > On 22 Oct 2019, at 16:50, Alan Somers > wrote: >=20 > On Wed, Oct 16, 2019 at 7:21 AM Andrew Turner > wrote: > Author: andrew > Date: Wed Oct 16 13:21:01 2019 > New Revision: 353640 > URL: https://svnweb.freebsd.org/changeset/base/353640 = >=20 > Log: > Stop leaking information from the kernel through timespec >=20 > The timespec struct holds a seconds value in a time_t and a = nanoseconds > value in a long. On most architectures these are the same size, = however > on 32-bit architectures other than i386 time_t is 8 bytes and long = is > 4 bytes. >=20 > Most ABIs will then pad a struct holding an 8 byte and 4 byte value = to > 16 bytes with 4 bytes of padding. When copying one of these structs = the > compiler is free to copy the padding if it wishes. >=20 > In this case the padding may contain kernel data that is then leaked = to > userspace. Fix this by copying the timespec elements rather than the > entire struct. >=20 > This doesn't affect Tier-1 architectures so no SA is expected. >=20 > admbugs: 651 > MFC after: 1 week > Sponsored by: DARPA, AFRL >=20 > Good catch. Might I ask how you found it, or who reported it?=20 I found it via one of the tests. It uses memcmp to check the struct = returned was identical to what it expected. On closer inspection I found = the difference was in the padding. Andrew=20