From owner-dev-commits-src-all@freebsd.org  Tue May 18 03:08:19 2021
Return-Path: <owner-dev-commits-src-all@freebsd.org>
Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 05D6763BD4E;
 Tue, 18 May 2021 03:08:19 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FkgtV6cmrz3wQZ;
 Tue, 18 May 2021 03:08:18 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CBF0D17DA3;
 Tue, 18 May 2021 03:08:18 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 14I38IDQ021374;
 Tue, 18 May 2021 03:08:18 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 14I38ImZ021373;
 Tue, 18 May 2021 03:08:18 GMT (envelope-from git)
Date: Tue, 18 May 2021 03:08:18 GMT
Message-Id: <202105180308.14I38ImZ021373@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: Colin Percival <cperciva@FreeBSD.org>
Subject: git: b6be9566d236 - main - Fix buffer overflow in preloaded hostuuid
 cleaning
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cperciva
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: b6be9566d236f83ad1a44170a64b9a34e382eafa
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the src repository
 <dev-commits-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-all/>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Help: <mailto:dev-commits-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 03:08:19 -0000

The branch main has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=b6be9566d236f83ad1a44170a64b9a34e382eafa

commit b6be9566d236f83ad1a44170a64b9a34e382eafa
Author:     Colin Percival <cperciva@FreeBSD.org>
AuthorDate: 2021-05-14 18:07:37 +0000
Commit:     Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2021-05-18 03:07:49 +0000

    Fix buffer overflow in preloaded hostuuid cleaning
    
    When a module of type "hostuuid" is provided by the loader,
    prison0_init strips any trailing whitespace and ASCII control
    characters by (a) adjusting the buffer length, and (b) zeroing out
    the characters in question, before storing it as the system's
    hostuuid.
    
    The buffer length adjustment was correct, but the zeroing overwrote
    one byte higher in memory than intended -- in the typical case,
    zeroing one byte past the end of the hostuuid buffer.  Due to the
    layout of buffers passed by the boot loader to the kernel, this will
    be the first byte of a subsequent buffer.
    
    This was *probably* harmless; prison0_init runs after preloaded kernel
    modules have been linked and after the preloaded /boot/entropy cache
    has been processed, so in both cases having the first byte overwritten
    will not cause problems.  We cannot however rule out the possibility
    that other objects which are preloaded by the loader could suffer from
    having the first byte overwritten.
    
    Since the zeroing does not in fact serve any purpose, remove it and
    trim trailing whitespace and ASCII control characters by adjusting
    the buffer length alone.
    
    Fixes:          c3188289 Preload hostuuid for early-boot use
    Reviewed by:    kevans, markj
    MFC after:      3 days
---
 sys/kern/kern_jail.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index f4cd6bd38d35..303e31490eb1 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -257,7 +257,7 @@ prison0_init(void)
 			 * non-printable characters to be safe.
 			 */
 			while (size > 0 && data[size - 1] <= 0x20) {
-				data[size--] = '\0';
+				size--;
 			}
 			if (validate_uuid(data, size, NULL, 0) == 0) {
 				(void)strlcpy(prison0.pr_hostuuid, data,