Date: Thu, 13 Jun 2019 14:52:24 +0800 From: Fuqian Huang <huangfq.daxian@gmail.com> To: freebsd-hackers@freebsd.org Subject: dev:md: A kernel address leakage in sys/dev/md/md.c Message-ID: <CABXRUiSGuH-dLX3mJhmMTfm4qs%2BYsnCTimQkh=uxuaA8=U0Xcg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
In freebsd/sys/dev/md/md.c
if the kernel is created with option MD_ROOT,
g_md_init will call md_preload and use mfs_root as the image.
In function md_preload, address of image will be printed out,
in this case, the address of image is the address of a global object mfs_root.
A kernel address leakage happens.
Patch suggestion: use macro like #ifdef DEBUG to wrap the printf statement.
u_char mfs_root[MD_ROOT_SIZE*1024] __attribute__ ((section("oldmfs")));
static void
g_md_init(struct g_class *mp __unused)
{
...
#ifdef MD_ROOT
...
#ifdef MD_ROOT_MEM
md_preload(mfs_root, mfs_root_size, NULL);
#else
md_preload(__DEVOLATILE(u_char *, &mfs_root), mfs_root_size,
NULL);
#endif
...
#endif
}
static void
md_preload(u_char *image, size_t length, const char *name)
{
...
if (name != NULL) {
printf("%s%d: Preloaded image <%s> %zd bytes at %p\n",
MD_NAME, sc->unit, name, length, image);
} else {
printf("%s%d: Embedded image %zd bytes at %p\n",
MD_NAME, sc->unit, length, image);
}
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABXRUiSGuH-dLX3mJhmMTfm4qs%2BYsnCTimQkh=uxuaA8=U0Xcg>