Date: Mon, 18 Mar 2002 17:32:12 +1100 (EST) From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace Message-ID: <200203180632.g2I6WCE00274@descent.robbins.dropbear.id.au>
next in thread | raw e-mail | index | archive | help
>Number: 36038 >Category: kern >Synopsis: sendfile(2) on smbfs fails, exposes kernel memory to userspace >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 17 22:40:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Tim J. Robbins >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD descent.robbins.dropbear.id.au 4.5-STABLE FreeBSD 4.5-STABLE #7: Mon Mar 18 16:43:16 EST 2002 tim@descent.robbins.dropbear.id.au:/usr/obj/usr/src/sys/DESCENT i386 >Description: sendfile(2) on a file on a smbfs mount usually fails with errno == EFAULT. However, in certain situations it can accidentally leak what appears to be random kernel memory. >How-To-Repeat: This simple program uses sendfile() to copy the specified files to standard output (which must be a socket): #include <sys/types.h> #include <sys/socket.h> #include <sys/uio.h> #include <err.h> #include <fcntl.h> #include <unistd.h> int main(int argc, char *argv[]) { const char *fn; int fd; while ((fn = *++argv) != NULL) { if ((fd = open(fn, O_RDONLY)) < 0) err(1, "open %s", fn); if (sendfile(fd, STDOUT_FILENO, 0, 0, NULL, NULL, 0) < 0) err(1, "sendfile %s", fn); close(fd); } return(0); } When run from inetd, it never gives the actual contents of the file like it should (and does on other filesystems). It often gets EFAULT, other times it dumps random garbage. A more complicated program demonstrating this problem is thttpd (in ports), which uses sendfile(2) to serve static pages. It does not work if the pages it should serve are on smbfs. >Fix: Not known. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203180632.g2I6WCE00274>