From owner-svn-src-head@freebsd.org Thu Jul 9 17:26:50 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0E45B350CF7; Thu, 9 Jul 2020 17:26:50 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B2jlY6T8pz4KTk; Thu, 9 Jul 2020 17:26:49 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BD0FE143EC; Thu, 9 Jul 2020 17:26:49 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 069HQnLo011192; Thu, 9 Jul 2020 17:26:49 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 069HQnWU011190; Thu, 9 Jul 2020 17:26:49 GMT (envelope-from markj@FreeBSD.org) Message-Id: <202007091726.069HQnWU011190@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Thu, 9 Jul 2020 17:26:49 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r363051 - in head: lib/libc/sys sys/kern X-SVN-Group: head X-SVN-Commit-Author: markj X-SVN-Commit-Paths: in head: lib/libc/sys sys/kern X-SVN-Commit-Revision: 363051 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2020 17:26:50 -0000 Author: markj Date: Thu Jul 9 17:26:49 2020 New Revision: 363051 URL: https://svnweb.freebsd.org/changeset/base/363051 Log: Avoid copying out kernel pointers from msgctl(IPC_STAT). While this behaviour is harmless, it is really just an artifact of the fact that the msgctl(2) implementation uses a user-visible structure as part of the internal implementation, so it is not deliberate and these pointers are not useful to userspace. Thus, NULL them out before copying out, and remove references to them from the manual page. Reported by: Jeffball Reviewed by: emaste, kib MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D25600 Modified: head/lib/libc/sys/msgctl.2 head/sys/kern/sysv_msg.c Modified: head/lib/libc/sys/msgctl.2 ============================================================================== --- head/lib/libc/sys/msgctl.2 Thu Jul 9 17:12:22 2020 (r363050) +++ head/lib/libc/sys/msgctl.2 Thu Jul 9 17:26:49 2020 (r363051) @@ -31,7 +31,7 @@ .\" .\" $FreeBSD$ .\"/ -.Dd July 9, 2009 +.Dd July 9, 2020 .Dt MSGCTL 2 .Os .Sh NAME @@ -63,8 +63,6 @@ and contains (amongst others) the following members: .Bd -literal struct msqid_ds { struct ipc_perm msg_perm; /* msg queue permission bits */ - struct msg *__msg_first; /* kernel data, don't use */ - struct msg *__msg_last; /* kernel data, don't use */ msglen_t msg_cbytes; /* number of bytes in use on the queue */ msgqnum_t msg_qnum; /* number of msgs in the queue */ msglen_t msg_qbytes; /* max # of bytes on the queue */ Modified: head/sys/kern/sysv_msg.c ============================================================================== --- head/sys/kern/sysv_msg.c Thu Jul 9 17:12:22 2020 (r363050) +++ head/sys/kern/sysv_msg.c Thu Jul 9 17:26:49 2020 (r363051) @@ -613,6 +613,13 @@ kern_msgctl(struct thread *td, int msqid, int cmd, str *msqbuf = msqkptr->u; if (td->td_ucred->cr_prison != msqkptr->cred->cr_prison) msqbuf->msg_perm.key = IPC_PRIVATE; + + /* + * Try to hide the fact that the structure layout is shared by + * both the kernel and userland. These pointers are not useful + * to userspace. + */ + msqbuf->__msg_first = msqbuf->__msg_last = NULL; break; default: