From owner-svn-src-all@freebsd.org Fri Jun 19 01:04:26 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4C2EC33A569; Fri, 19 Jun 2020 01:04:26 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49p0vG1Lwlz4Krn; Fri, 19 Jun 2020 01:04:26 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1052612AF0; Fri, 19 Jun 2020 01:04:26 +0000 (UTC) (envelope-from mckusick@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 05J14PH9015604; Fri, 19 Jun 2020 01:04:25 GMT (envelope-from mckusick@FreeBSD.org) Received: (from mckusick@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 05J14PPA015602; Fri, 19 Jun 2020 01:04:25 GMT (envelope-from mckusick@FreeBSD.org) Message-Id: <202006190104.05J14PPA015602@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mckusick set sender to mckusick@FreeBSD.org using -f From: Kirk McKusick Date: Fri, 19 Jun 2020 01:04:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r362359 - head/sys/ufs/ffs X-SVN-Group: head X-SVN-Commit-Author: mckusick X-SVN-Commit-Paths: head/sys/ufs/ffs X-SVN-Commit-Revision: 362359 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jun 2020 01:04:26 -0000 Author: mckusick Date: Fri Jun 19 01:04:25 2020 New Revision: 362359 URL: https://svnweb.freebsd.org/changeset/base/362359 Log: The binary representation of the superblock (the fs structure) is written out verbatim to the disk: see ffs_sbput() in sys/ufs/ffs/ffs_subr.c. It contains a pointer to the fs_summary_info structure. This pointer value inadvertently causes garbage to be stored. It is garbage because the pointer to the fs_summary_info structure is the address the then current stack or heap. Although a mere pointer does not reveal anything useful (like a part of a private key) to an attacker, garbage output deteriorates reproducibility. This commit zeros out the pointer to the fs_summary_info structure before writing the out the superblock. Reviewed by: kib Tested by: Peter Holm PR: 246983 Sponsored by: Netflix Modified: head/sys/ufs/ffs/ffs_subr.c head/sys/ufs/ffs/ffs_vfsops.c Modified: head/sys/ufs/ffs/ffs_subr.c ============================================================================== --- head/sys/ufs/ffs/ffs_subr.c Fri Jun 19 01:02:53 2020 (r362358) +++ head/sys/ufs/ffs/ffs_subr.c Fri Jun 19 01:04:25 2020 (r362359) @@ -50,7 +50,6 @@ uint32_t ffs_calc_sbhash(struct fs *); struct malloc_type; #define UFS_MALLOC(size, type, flags) malloc(size) #define UFS_FREE(ptr, type) free(ptr) -#define UFS_TIME time(NULL) /* * Request standard superblock location in ffs_sbget */ @@ -78,7 +77,6 @@ struct malloc_type; #define UFS_MALLOC(size, type, flags) malloc(size, type, flags) #define UFS_FREE(ptr, type) free(ptr, type) -#define UFS_TIME time_second #endif /* _KERNEL */ @@ -349,11 +347,24 @@ ffs_sbput(void *devfd, struct fs *fs, off_t loc, } } fs->fs_fmod = 0; - fs->fs_time = UFS_TIME; +#ifndef _KERNEL + { + struct fs_summary_info *fs_si; + + fs->fs_time = time(NULL); + /* Clear the pointers for the duration of writing. */ + fs_si = fs->fs_si; + fs->fs_si = NULL; + fs->fs_ckhash = ffs_calc_sbhash(fs); + error = (*writefunc)(devfd, loc, fs, fs->fs_sbsize); + fs->fs_si = fs_si; + } +#else /* _KERNEL */ + fs->fs_time = time_second; fs->fs_ckhash = ffs_calc_sbhash(fs); - if ((error = (*writefunc)(devfd, loc, fs, fs->fs_sbsize)) != 0) - return (error); - return (0); + error = (*writefunc)(devfd, loc, fs, fs->fs_sbsize); +#endif /* _KERNEL */ + return (error); } /* Modified: head/sys/ufs/ffs/ffs_vfsops.c ============================================================================== --- head/sys/ufs/ffs/ffs_vfsops.c Fri Jun 19 01:02:53 2020 (r362358) +++ head/sys/ufs/ffs/ffs_vfsops.c Fri Jun 19 01:04:25 2020 (r362359) @@ -2293,6 +2293,7 @@ ffs_use_bwrite(void *devfd, off_t loc, void *buf, int bcopy((caddr_t)fs, bp->b_data, (u_int)fs->fs_sbsize); fs = (struct fs *)bp->b_data; ffs_oldfscompat_write(fs, ump); + fs->fs_si = NULL; /* Recalculate the superblock hash */ fs->fs_ckhash = ffs_calc_sbhash(fs); if (devfdp->suspended)