Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Mar 2002 17:32:12 +1100 (EST)
From:      "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/36038: sendfile(2) on smbfs fails, exposes kernel memory to userspace
Message-ID:  <200203180632.g2I6WCE00274@descent.robbins.dropbear.id.au>
next in thread | raw e-mail | index | archive | help 

>Number:         36038
>Category:       kern
>Synopsis:       sendfile(2) on smbfs fails, exposes kernel memory to userspace
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 17 22:40:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Tim J. Robbins
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
>Environment:
System: FreeBSD descent.robbins.dropbear.id.au 4.5-STABLE FreeBSD 4.5-STABLE #7: Mon Mar 18 16:43:16 EST 2002 tim@descent.robbins.dropbear.id.au:/usr/obj/usr/src/sys/DESCENT i386


	
>Description:
sendfile(2) on a file on a smbfs mount usually fails with errno == EFAULT.
However, in certain situations it can accidentally leak what appears to
be random kernel memory.
>How-To-Repeat:
This simple program uses sendfile() to copy the specified files to
standard output (which must be a socket):

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>

#include <err.h>
#include <fcntl.h>
#include <unistd.h>


int
main(int argc, char *argv[])
{
	const char *fn;
	int fd;

	while ((fn = *++argv) != NULL) {
		if ((fd = open(fn, O_RDONLY)) < 0)
			err(1, "open %s", fn);
		if (sendfile(fd, STDOUT_FILENO, 0, 0, NULL, NULL, 0) < 0)
			err(1, "sendfile %s", fn);
		close(fd);
	}

	return(0);
}


When run from inetd, it never gives the actual contents of the file like
it should (and does on other filesystems). It often gets EFAULT, other
times it dumps random garbage.

A more complicated program demonstrating this problem is thttpd (in ports),
which uses sendfile(2) to serve static pages. It does not work if the
pages it should serve are on smbfs.

>Fix:
Not known.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203180632.g2I6WCE00274>