Date: Tue, 26 Jan 2016 17:29:06 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206648] Fix double strlen in ktrstruct Message-ID: <bug-206648-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206648 Bug ID: 206648 Summary: Fix double strlen in ktrstruct Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ecturt@gmail.com The `ktrstruct` function from `sys/kern/kern_ktrace.c` was calling `strlen`= on `name` twice, which could have lead to a race attack (contents of `name` changed between these two calls). I've verified that this wasn't previously optimised into a single call to `strlen` in a compiled kernel. There is no way to exploit this bug since it is only used by macros which p= ass strings with static contents: #define ktrsockaddr(s) \ ktrstruct("sockaddr", (s), ((struct sockaddr *)(s))->sa_len) #define ktrstat(s) \ ktrstruct("stat", (s), sizeof(struct stat)) However, this situation is fragile, and should be patched to prevent the possibility of being exploited in the future if ever `ktrstruct` is passed a non-static name. At the very least, this patch will also be a very minor optimisation. Current: void ktrstruct(name, data, datalen) const char *name; void *data; size_t datalen; { struct ktr_request *req; char *buf =3D NULL; size_t buflen; if (!data) datalen =3D 0; buflen =3D strlen(name) + 1 + datalen; buf =3D malloc(buflen, M_KTRACE, M_WAITOK); strcpy(buf, name); bcopy(data, buf + strlen(name) + 1, datalen); if ((req =3D ktr_getrequest(KTR_STRUCT)) =3D=3D NULL) { free(buf, M_KTRACE); return; } req->ktr_buffer =3D buf; req->ktr_header.ktr_len =3D buflen; ktr_submitrequest(curthread, req); } Patched: void ktrstruct(name, data, datalen) const char *name; void *data; size_t datalen; { struct ktr_request *req; char *buf =3D NULL; size_t namelen; size_t buflen; if (!data) datalen =3D 0; namelen =3D strlen(name); buflen =3D namelen + 1 + datalen; buf =3D malloc(buflen, M_KTRACE, M_WAITOK); strcpy(buf, name); bcopy(data, buf + namelen + 1, datalen); if ((req =3D ktr_getrequest(KTR_STRUCT)) =3D=3D NULL) { free(buf, M_KTRACE); return; } req->ktr_buffer =3D buf; req->ktr_header.ktr_len =3D buflen; ktr_submitrequest(curthread, req); } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206648-8>