Date: Thu, 04 Jun 2020 15:31:49 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 246983] sbput(3) writes out the values of pointers verbatim Message-ID: <bug-246983-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246983 Bug ID: 246983 Summary: sbput(3) writes out the values of pointers verbatim Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: goatshit54108@national.shitposting.agency `struct fs` contains some pointer fields. The binary representation of a `struct fs` is written out verbatim to the disk: see ffs_sbput() in sys/ufs/ffs/ffs_subr.c. This inadvertently causes garbage to be stored, in particular by newfs(1). (It is garbage because those pointers pointed to the then-current stack or heap.) Although a mere pointer doesn't reveal anything useful (like a part of a private key) to an attacker, garbage output deteriorates reproducibility. In an attempt to work around this design, users of sbput(3) ought to zero out those pointer fields, but this isn't totally possible, because the function makes use of the `fs_csp` field. So the solution should be to save the pointers before writing the whole struct out, and to restore them afterwards. It would have been ideal if `struct fs` didn't contain any pointers at all. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-246983-227>