From owner-freebsd-security Wed Nov 17 9: 1:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from kronos.alcnet.com (kronos.alcnet.com [63.69.28.22]) by hub.freebsd.org (Postfix) with ESMTP id 538F414A21 for ; Wed, 17 Nov 1999 09:01:44 -0800 (PST) (envelope-from kbyanc@posi.net) X-Provider: ALC Communications, Inc. http://www.alcnet.com/ Received: from localhost (kbyanc@localhost) by kronos.alcnet.com (8.9.3/8.9.3/antispam) with ESMTP id MAA08461 for ; Wed, 17 Nov 1999 12:01:40 -0500 (EST) Date: Wed, 17 Nov 1999 12:01:40 -0500 (EST) From: Kelly Yancey X-Sender: kbyanc@kronos.alcnet.com To: freebsd-security@freebsd.org Subject: kernel stack contents visible from userland Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there any security concern with a portion of the kernel's stack being visible from userland? The reason I ask is that while investigating another issue, I noticed that stat family of calls (and probably others) leave kernel stack contents into userland via spare struct stat fields (I imagine other structures have similar behavior with regards to the padding between fiels for alignment). The attached (simple) patch, applied in /sys/kern fixes it for stat and family. That is, assuming that this is something that needs fixing :) -- Kelly Yancey - kbyanc@posi.net - Richmond, VA Director of Technical Services, ALC Communications http://www.alcnet.com/ Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ --- kern_descrip.c.orig Mon Nov 15 22:11:57 1999 +++ kern_descrip.c Mon Nov 15 22:27:43 1999 @@ -548,9 +548,11 @@ panic("ofstat"); /*NOTREACHED*/ } - cvtstat(&ub, &oub); - if (error == 0) + if (error == 0) { + bzero(&oub, sizeof (oub)); + cvtstat(&ub, &oub); error = copyout((caddr_t)&oub, (caddr_t)uap->sb, sizeof (oub)); + } return (error); } #endif /* COMPAT_43 || COMPAT_SUNOS */ @@ -578,6 +580,7 @@ if ((unsigned)uap->fd >= fdp->fd_nfiles || (fp = fdp->fd_ofiles[uap->fd]) == NULL) return (EBADF); + bzero(&ub, sizeof (ub)); switch (fp->f_type) { case DTYPE_FIFO: @@ -646,6 +649,7 @@ /*NOTREACHED*/ } if (error == 0) { + bzero(&nub, sizeof (nub)); cvtnstat(&ub, &nub); error = copyout((caddr_t)&nub, (caddr_t)uap->sb, sizeof (nub)); } --- vfs_syscalls.c.orig Mon Nov 15 23:25:48 1999 +++ vfs_syscalls.c Mon Nov 15 23:29:08 1999 @@ -1514,6 +1514,7 @@ vput(nd.ni_vp); if (error) return (error); + bzero(&osb, sizeof (osb)); cvtstat(&sb, &osb); error = copyout((caddr_t)&osb, (caddr_t)SCARG(uap, ub), sizeof (osb)); return (error); @@ -1552,6 +1553,7 @@ vput(vp); if (error) return (error); + bzero(&osb, sizeof (osb)); cvtstat(&sb, &osb); error = copyout((caddr_t)&osb, (caddr_t)SCARG(uap, ub), sizeof (osb)); return (error); @@ -1613,6 +1615,7 @@ SCARG(uap, path), p); if (error = namei(&nd)) return (error); + bzero(&sb, sizeof (sb)); error = vn_stat(nd.ni_vp, &sb, p); vput(nd.ni_vp); if (error) @@ -1648,6 +1651,7 @@ SCARG(uap, path), p); if (error = namei(&nd)) return (error); + bzero(&sb, sizeof (sb)); vp = nd.ni_vp; error = vn_stat(vp, &sb, p); vput(vp); @@ -1707,6 +1711,7 @@ vput(nd.ni_vp); if (error) return (error); + bzero(&nsb, sizeof (nsb)); cvtnstat(&sb, &nsb); error = copyout((caddr_t)&nsb, (caddr_t)SCARG(uap, ub), sizeof (nsb)); return (error); @@ -1745,6 +1750,7 @@ vput(vp); if (error) return (error); + bzero(&nsb, sizeof (nsb)); cvtnstat(&sb, &nsb); error = copyout((caddr_t)&nsb, (caddr_t)SCARG(uap, ub), sizeof (nsb)); return (error); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message