Date: Wed, 17 Nov 1999 12:01:40 -0500 (EST) From: Kelly Yancey <kbyanc@posi.net> To: freebsd-security@freebsd.org Subject: kernel stack contents visible from userland Message-ID: <Pine.BSF.4.05.9911171152270.8195-100000@kronos.alcnet.com>
next in thread | raw e-mail | index | archive | help
Is there any security concern with a portion of the kernel's stack being visible from userland? The reason I ask is that while investigating another issue, I noticed that stat family of calls (and probably others) leave kernel stack contents into userland via spare struct stat fields (I imagine other structures have similar behavior with regards to the padding between fiels for alignment). The attached (simple) patch, applied in /sys/kern fixes it for stat and family. That is, assuming that this is something that needs fixing :) -- Kelly Yancey - kbyanc@posi.net - Richmond, VA Director of Technical Services, ALC Communications http://www.alcnet.com/ Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ --- kern_descrip.c.orig Mon Nov 15 22:11:57 1999 +++ kern_descrip.c Mon Nov 15 22:27:43 1999 @@ -548,9 +548,11 @@ panic("ofstat"); /*NOTREACHED*/ } - cvtstat(&ub, &oub); - if (error == 0) + if (error == 0) { + bzero(&oub, sizeof (oub)); + cvtstat(&ub, &oub); error = copyout((caddr_t)&oub, (caddr_t)uap->sb, sizeof (oub)); + } return (error); } #endif /* COMPAT_43 || COMPAT_SUNOS */ @@ -578,6 +580,7 @@ if ((unsigned)uap->fd >= fdp->fd_nfiles || (fp = fdp->fd_ofiles[uap->fd]) == NULL) return (EBADF); + bzero(&ub, sizeof (ub)); switch (fp->f_type) { case DTYPE_FIFO: @@ -646,6 +649,7 @@ /*NOTREACHED*/ } if (error == 0) { + bzero(&nub, sizeof (nub)); cvtnstat(&ub, &nub); error = copyout((caddr_t)&nub, (caddr_t)uap->sb, sizeof (nub)); } --- vfs_syscalls.c.orig Mon Nov 15 23:25:48 1999 +++ vfs_syscalls.c Mon Nov 15 23:29:08 1999 @@ -1514,6 +1514,7 @@ vput(nd.ni_vp); if (error) return (error); + bzero(&osb, sizeof (osb)); cvtstat(&sb, &osb); error = copyout((caddr_t)&osb, (caddr_t)SCARG(uap, ub), sizeof (osb)); return (error); @@ -1552,6 +1553,7 @@ vput(vp); if (error) return (error); + bzero(&osb, sizeof (osb)); cvtstat(&sb, &osb); error = copyout((caddr_t)&osb, (caddr_t)SCARG(uap, ub), sizeof (osb)); return (error); @@ -1613,6 +1615,7 @@ SCARG(uap, path), p); if (error = namei(&nd)) return (error); + bzero(&sb, sizeof (sb)); error = vn_stat(nd.ni_vp, &sb, p); vput(nd.ni_vp); if (error) @@ -1648,6 +1651,7 @@ SCARG(uap, path), p); if (error = namei(&nd)) return (error); + bzero(&sb, sizeof (sb)); vp = nd.ni_vp; error = vn_stat(vp, &sb, p); vput(vp); @@ -1707,6 +1711,7 @@ vput(nd.ni_vp); if (error) return (error); + bzero(&nsb, sizeof (nsb)); cvtnstat(&sb, &nsb); error = copyout((caddr_t)&nsb, (caddr_t)SCARG(uap, ub), sizeof (nsb)); return (error); @@ -1745,6 +1750,7 @@ vput(vp); if (error) return (error); + bzero(&nsb, sizeof (nsb)); cvtnstat(&sb, &nsb); error = copyout((caddr_t)&nsb, (caddr_t)SCARG(uap, ub), sizeof (nsb)); return (error); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9911171152270.8195-100000>