Date: Tue, 18 May 2021 03:08:18 GMT From: Colin Percival <cperciva@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: b6be9566d236 - main - Fix buffer overflow in preloaded hostuuid cleaning Message-ID: <202105180308.14I38ImZ021373@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by cperciva: URL: https://cgit.FreeBSD.org/src/commit/?id=b6be9566d236f83ad1a44170a64b9a34e382eafa commit b6be9566d236f83ad1a44170a64b9a34e382eafa Author: Colin Percival <cperciva@FreeBSD.org> AuthorDate: 2021-05-14 18:07:37 +0000 Commit: Colin Percival <cperciva@FreeBSD.org> CommitDate: 2021-05-18 03:07:49 +0000 Fix buffer overflow in preloaded hostuuid cleaning When a module of type "hostuuid" is provided by the loader, prison0_init strips any trailing whitespace and ASCII control characters by (a) adjusting the buffer length, and (b) zeroing out the characters in question, before storing it as the system's hostuuid. The buffer length adjustment was correct, but the zeroing overwrote one byte higher in memory than intended -- in the typical case, zeroing one byte past the end of the hostuuid buffer. Due to the layout of buffers passed by the boot loader to the kernel, this will be the first byte of a subsequent buffer. This was *probably* harmless; prison0_init runs after preloaded kernel modules have been linked and after the preloaded /boot/entropy cache has been processed, so in both cases having the first byte overwritten will not cause problems. We cannot however rule out the possibility that other objects which are preloaded by the loader could suffer from having the first byte overwritten. Since the zeroing does not in fact serve any purpose, remove it and trim trailing whitespace and ASCII control characters by adjusting the buffer length alone. Fixes: c3188289 Preload hostuuid for early-boot use Reviewed by: kevans, markj MFC after: 3 days --- sys/kern/kern_jail.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index f4cd6bd38d35..303e31490eb1 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -257,7 +257,7 @@ prison0_init(void) * non-printable characters to be safe. */ while (size > 0 && data[size - 1] <= 0x20) { - data[size--] = '\0'; + size--; } if (validate_uuid(data, size, NULL, 0) == 0) { (void)strlcpy(prison0.pr_hostuuid, data,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105180308.14I38ImZ021373>