From owner-freebsd-bugs Sun Mar 17 22:40: 7 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id CF02637B41D for ; Sun, 17 Mar 2002 22:40:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2I6e1a63540; Sun, 17 Mar 2002 22:40:01 -0800 (PST) (envelope-from gnats) Received: from descent.robbins.dropbear.id.au (078.b.004.mel.iprimus.net.au [210.50.37.78]) by hub.freebsd.org (Postfix) with ESMTP id 60A1C37B421 for ; Sun, 17 Mar 2002 22:32:38 -0800 (PST) Received: (from tim@localhost) by descent.robbins.dropbear.id.au (8.11.6/8.11.6) id g2I6WCE00274; Mon, 18 Mar 2002 17:32:12 +1100 (EST) (envelope-from tim) Message-Id: <200203180632.g2I6WCE00274@descent.robbins.dropbear.id.au> Date: Mon, 18 Mar 2002 17:32:12 +1100 (EST) From: "Tim J. Robbins" Reply-To: "Tim J. Robbins" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 36038 >Category: kern >Synopsis: sendfile(2) on smbfs fails, exposes kernel memory to userspace >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 17 22:40:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Tim J. Robbins >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD descent.robbins.dropbear.id.au 4.5-STABLE FreeBSD 4.5-STABLE #7: Mon Mar 18 16:43:16 EST 2002 tim@descent.robbins.dropbear.id.au:/usr/obj/usr/src/sys/DESCENT i386 >Description: sendfile(2) on a file on a smbfs mount usually fails with errno == EFAULT. However, in certain situations it can accidentally leak what appears to be random kernel memory. >How-To-Repeat: This simple program uses sendfile() to copy the specified files to standard output (which must be a socket): #include #include #include #include #include #include int main(int argc, char *argv[]) { const char *fn; int fd; while ((fn = *++argv) != NULL) { if ((fd = open(fn, O_RDONLY)) < 0) err(1, "open %s", fn); if (sendfile(fd, STDOUT_FILENO, 0, 0, NULL, NULL, 0) < 0) err(1, "sendfile %s", fn); close(fd); } return(0); } When run from inetd, it never gives the actual contents of the file like it should (and does on other filesystems). It often gets EFAULT, other times it dumps random garbage. A more complicated program demonstrating this problem is thttpd (in ports), which uses sendfile(2) to serve static pages. It does not work if the pages it should serve are on smbfs. >Fix: Not known. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message