From owner-freebsd-security  Wed Nov 17  9:28: 2 1999
Delivered-To: freebsd-security@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id 8977B14C59
	for <freebsd-security@FreeBSD.ORG>; Wed, 17 Nov 1999 09:27:46 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id JAA64140;
	Wed, 17 Nov 1999 09:27:42 -0800 (PST)
	(envelope-from dillon)
Date: Wed, 17 Nov 1999 09:27:42 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199911171727.JAA64140@apollo.backplane.com>
To: Kelly Yancey <kbyanc@posi.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: kernel stack contents visible from userland
References:  <Pine.BSF.4.05.9911171152270.8195-100000@kronos.alcnet.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

:
:  Is there any security concern with a portion of the kernel's stack being
:visible from userland? The reason I ask is that while investigating
:another issue, I noticed that stat family of calls (and probably others)
:leave kernel stack contents into userland via spare struct stat fields (I
:imagine other structures have similar behavior with regards to the padding
:between fiels for alignment).
:
:  The attached (simple) patch, applied in /sys/kern fixes it for stat and
:family. That is, assuming that this is something that needs fixing :)
:
:--
:Kelly Yancey  -  kbyanc@posi.net  -  Richmond, VA

    Since the kernel stack is per-process, I don't think there is any 
    security concern.  But you've definitely uncovered an undesired
    trait so I think your patch is a good one.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

:Director of Technical Services, ALC Communications  http://www.alcnet.com/
:Maintainer, BSD Driver Database       http://www.posi.net/freebsd/drivers/
:Coordinator, Team FreeBSD        http://www.posi.net/freebsd/Team-FreeBSD/
:
:--- kern_descrip.c.orig	Mon Nov 15 22:11:57 1999
:+++ kern_descrip.c	Mon Nov 15 22:27:43 1999
:@@ -548,9 +548,11 @@
: 		panic("ofstat");
: 		/*NOTREACHED*/
: 	}
:-	cvtstat(&ub, &oub);
:...



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message