Date: Tue, 6 Dec 2011 20:04:56 GMT From: Loganaden Velvindron <loganaden@devio.us> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/163098: ktrace leak & fix Message-ID: <201112062004.pB6K4uGY010407@red.freebsd.org> Resent-Message-ID: <201112062010.pB6KA9AH071077@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 163098 >Category: kern >Synopsis: ktrace leak & fix >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 06 20:10:09 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Loganaden Velvindron >Release: 8.2 >Organization: devio.us >Environment: >Description: djm@openbsd : The issue was that the syscall wrapper did not clear retval when an error occurs in the syscall itself. retval was being passed back to ktrace, and could leak some kernel stack (e.g. via ptrace PT_READ*). >How-To-Repeat: >Fix: Index: src/sys/kern/kern_ktrace.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_ktrace.c,v retrieving revision 1.130.2.2.4.1 diff -u -p -r1.130.2.2.4.1 kern_ktrace.c --- src/sys/kern/kern_ktrace.c 21 Dec 2010 17:09:25 -0000 1.130.2.2.4.1 +++ src/sys/kern/kern_ktrace.c 3 Dec 2011 19:22:13 -0000 @@ -426,7 +426,7 @@ ktrsysret(code, error, retval) ktp = &req->ktr_data.ktr_sysret; ktp->ktr_code = code; ktp->ktr_error = error; - ktp->ktr_retval = retval; /* what about val2 ? */ + ktp->ktr_retval = error == 0 ? retval: 0; /* what about val2 ? */ ktr_submitrequest(curthread, req); } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112062004.pB6K4uGY010407>