From nobody Wed Jan 29 18:54:50 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yjrtg16Mpz5lmH0; Wed, 29 Jan 2025 18:54:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Yjrtg0NTlz49nV; Wed, 29 Jan 2025 18:54:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738176891; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7r1G4PnRZFPFa5XB2KFI0IzUjGfdu+cNDzPzoCUnZHQ=; b=Nodd751doFxl7lehhM1xpaX3oXsgmFJp1ya0iHCx9FwAk7Iwr7iN3GKDbP+sLqEpfL13Um rnd9FvlEHl/GL5wkNSoHen9kN3EjcwzhDn7XSWEIpLT8dGP4Qfqpr/phScfCasofc8cVp9 AOYF08+4nKo3VBsZGhzZud55ESd6kTKbVyvEWEgp+E3PQLE2YvV1YWY6j5OlS8WU6s06wk WHhOz7FCmWVIN7b56MjGjklAdZa5cR+i3RTb435BfaQ0ez4BudesHLtwpBIuVUhhNtyLzn 7Lgoqt0erbeQkOMDt6XvVGytG9nKrcExErd8zuFrNl/hiFQNMdtitUBkNbAgvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738176891; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7r1G4PnRZFPFa5XB2KFI0IzUjGfdu+cNDzPzoCUnZHQ=; b=n2CK1VBRafAV/L9Nk+Qh2Rxzu2pU/J1kMWMNHdaXvAUxKC3/3alXnIKT3vuJ46BbQYF27m NRoQUVDC3Rl8huuUiUObrJfZ1GJNlBE8O/t4yyE9C+sdqMozrp9uRFB//qJex9Z9lrp90e dFX4XXMspK54AMRCTE2/IMrGShsm7i3BDgqoLu7ip0It+gNBLVOCijMmU6JpyBh85OJdN7 gVuHeXo95m5A3ZMEv8KdeBraPKF1qCh3tLotslnGCrL3wyDGaPfOBYG4qcuuxT6xwjTVfX zZh1tcqIk8IBu70JDYudFGbstgnLB6oiKcxiGUPGl5PvytzkgSqFFTUHhFe0gw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738176891; a=rsa-sha256; cv=none; b=ObKy+j4t0qIhC5nruIvyrJ649/+EZuGkvTsidzk5lqtpx0qYzypWSPf4H30jPx0TiiSpuv iIcL0Uye/4bZwgwOMPkzbvYLl4DWZBD2dK3C8eH7Ex3/EERrYZE/wdpen7ywhhiqqUVy44 Y6d2YSu0D9NBXQdFUiIXQ4I6Z+ufpTQR8GORx606C8lMoU3E05O/7r66ObPYkYlCf7aUUq pyp5s3os80IKw5LFat+/FIqbxf8rCCcHvqGUcJIlb/kEJ6x4a617y/CNVDWgbShJN6UiiX M7u/H89bjSKKdXi72KE46W1d4tpxHSLTyMizztmeeXfUXJXM+e8KlHMEUc+AWg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Yjrtf6nHfz1Cdm; Wed, 29 Jan 2025 18:54:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50TIsoLP063894; Wed, 29 Jan 2025 18:54:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50TIso2T063891; Wed, 29 Jan 2025 18:54:50 GMT (envelope-from git) Date: Wed, 29 Jan 2025 18:54:50 GMT Message-Id: <202501291854.50TIso2T063891@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 10f8a9df522f - releng/14.2 - ktrace: Fix uninitialized memory disclosure List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.2 X-Git-Reftype: branch X-Git-Commit: 10f8a9df522f9a5e5fb9a3a97d1d76949fe4ebc3 Auto-Submitted: auto-generated The branch releng/14.2 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=10f8a9df522f9a5e5fb9a3a97d1d76949fe4ebc3 commit 10f8a9df522f9a5e5fb9a3a97d1d76949fe4ebc3 Author: Mark Johnston AuthorDate: 2025-01-20 13:50:04 +0000 Commit: Mark Johnston CommitDate: 2025-01-29 17:26:14 +0000 ktrace: Fix uninitialized memory disclosure The sockaddr passed to ktrcapfail() may be smaller than sizeof(struct sockaddr), and the trailing bytes in the sockaddr structure will be uninitialized, whereupon they get copied out to userspace. Approved by: so Security: FreeBSD-SA-25:04.ktrace PR: 283673 Reviewed by: jfree, emaste Reported by: Yichen Chai Reported by: Zhuo Ying Jiang Li Fixes: 9bec84131215 ("ktrace: Record detailed ECAPMODE violations") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D48499 (cherry picked from commit 5b86888bae651e54ccc0adde0ed897ec1c1e0d45) (cherry picked from commit 99d5ee8738a354e0d8f12453a82ed87e47bd62f1) --- sys/kern/kern_ktrace.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 1c6a2ae01f3d..2b311f2d36dc 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -958,9 +958,16 @@ ktrcapfail(enum ktr_cap_violation type, const void *data) case CAPFAIL_PROTO: kcd->cap_int = *(const int *)data; break; - case CAPFAIL_SOCKADDR: - kcd->cap_sockaddr = *(const struct sockaddr *)data; + case CAPFAIL_SOCKADDR: { + size_t len; + + len = MIN(((const struct sockaddr *)data)->sa_len, + sizeof(kcd->cap_sockaddr)); + memset(&kcd->cap_sockaddr, 0, + sizeof(kcd->cap_sockaddr)); + memcpy(&kcd->cap_sockaddr, data, len); break; + } case CAPFAIL_NAMEI: strlcpy(kcd->cap_path, data, MAXPATHLEN); break;