Date: Thu, 04 Jun 2020 15:31:49 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 246983] sbput(3) writes out the values of pointers verbatim Message-ID: <bug-246983-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D246983 Bug ID: 246983 Summary: sbput(3) writes out the values of pointers verbatim Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: goatshit54108@national.shitposting.agency `struct fs` contains some pointer fields. The binary representation of a `struct fs` is written out verbatim to the disk: see ffs_sbput() in sys/ufs/ffs/ffs_subr.c. This inadvertently causes garbage to be stored, in particular by newfs(1). (It is garbage because those pointers pointed to the then-current stack or heap.) Although a mere pointer doesn't reveal anything useful (like a part of a private key) to an attacker, garbage output deteriorates reproducibility. In an attempt to work around this design, users of sbput(3) ought to zero o= ut those pointer fields, but this isn't totally possible, because the function makes use of the `fs_csp` field. So the solution should be to save the poin= ters before writing the whole struct out, and to restore them afterwards. It would have been ideal if `struct fs` didn't contain any pointers at all. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-246983-227>