Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Oct 2014 23:35:32 +0000 (UTC)
From:      Colin Percival <cperciva@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r273487 - head/sys/kern
Message-ID:  <201410222335.s9MNZW62045167@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: cperciva
Date: Wed Oct 22 23:35:32 2014
New Revision: 273487
URL: https://svnweb.freebsd.org/changeset/base/273487

Log:
  Avoid leaking data from the kernel environment: When we convert the
  initial static environment to a dynamic one, zero the static environment
  buffer, and zero individual values when kern_unsetenv and freeenv are
  called.
  
  Tested by:	kmoore (VM memory dump + grep)
  Tested by:	cperciva (kernel panic dump + grep)

Modified:
  head/sys/kern/kern_environment.c

Modified: head/sys/kern/kern_environment.c
==============================================================================
--- head/sys/kern/kern_environment.c	Wed Oct 22 22:27:51 2014	(r273486)
+++ head/sys/kern/kern_environment.c	Wed Oct 22 23:35:32 2014	(r273487)
@@ -224,7 +224,7 @@ init_static_kenv(char *buf, size_t len)
 static void
 init_dynamic_kenv(void *data __unused)
 {
-	char *cp;
+	char *cp, *cpnext;
 	size_t len;
 	int i;
 
@@ -232,7 +232,8 @@ init_dynamic_kenv(void *data __unused)
 		M_WAITOK | M_ZERO);
 	i = 0;
 	if (kern_envp && *kern_envp != '\0') {
-		for (cp = kern_envp; cp != NULL; cp = kernenv_next(cp)) {
+		for (cp = kern_envp; cp != NULL; cp = cpnext) {
+			cpnext = kernenv_next(cp);
 			len = strlen(cp) + 1;
 			if (len > KENV_MNAMELEN + 1 + KENV_MVALLEN + 1) {
 				printf(
@@ -243,6 +244,7 @@ init_dynamic_kenv(void *data __unused)
 			if (i < KENV_SIZE) {
 				kenvp[i] = malloc(len, M_KENV, M_WAITOK);
 				strcpy(kenvp[i++], cp);
+				memset(cp, 0, strlen(cp));
 			} else
 				printf(
 				"WARNING: too many kenv strings, ignoring %s\n",
@@ -260,8 +262,10 @@ void
 freeenv(char *env)
 {
 
-	if (dynamic_kenv)
+	if (dynamic_kenv) {
+		memset(env, 0, strlen(env));
 		free(env, M_KENV);
+	}
 }
 
 /*
@@ -437,6 +441,7 @@ kern_unsetenv(const char *name)
 			kenvp[i++] = kenvp[j];
 		kenvp[i] = NULL;
 		mtx_unlock(&kenv_lock);
+		memset(oldenv, 0, strlen(oldenv));
 		free(oldenv, M_KENV);
 		return (0);
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410222335.s9MNZW62045167>