Date: Wed, 17 Nov 1999 20:16:21 -0500 (EST) From: kbyanc@posi.net To: FreeBSD-gnats-submit@freebsd.org Subject: kern/14966: patch to zero spare stat fields Message-ID: <199911180116.UAA18313@kronos.alcnet.com>
next in thread | raw e-mail | index | archive | help
>Number: 14966 >Category: kern >Synopsis: patch to zero spare stat fields >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 17 17:20:01 PST 1999 >Closed-Date: >Last-Modified: >Originator: Kelly Yancey >Release: FreeBSD 3.2-STABLE i386 >Organization: >Environment: Tested on recently-built 3.3-STABLE box. Should apply cleanly to -current also. >Description: The stat structure defines 2 spare fields which were filled with random contents from the kernel stack. After some discussion on freebsd-security http://docs.freebsd.org/cgi/mid.cgi?db=irt&id=Pine.BSF.4.05.9911171152270.8195-100000@kronos.alcnet.com it was suggested that if a program was ever to be able to test for the presence of valid values in new fields which may use the currently spare space, then we need to zero that space now. This patch zeros the spare fields of both struct stat and struct nstat (ostat doesn't contain any spare fields) with minimal impact on the code. Actually this patch also fixed a slight mistake in the ofstat code which filled in the ostat structure even if an error occurred. The patch changes ostat to behave more like nfstat and only copy the structure if an error has not occurred. Kelly >How-To-Repeat: Call stat() twice on a file with an intervening syscall and memcmp the 2 structures you get back. Even if the file's metadata has not changed, the structures will differ (specifically the spare fields will differ). >Fix: Apply this patch in /sys/kern: --- kern_descrip.c.orig Wed Nov 17 19:50:15 1999 +++ kern_descrip.c Wed Nov 17 19:50:45 1999 @@ -548,9 +548,10 @@ panic("ofstat"); /*NOTREACHED*/ } - cvtstat(&ub, &oub); - if (error == 0) + if (error == 0) { + cvtstat(&ub, &oub); error = copyout((caddr_t)&oub, (caddr_t)uap->sb, sizeof (oub)); + } return (error); } #endif /* COMPAT_43 || COMPAT_SUNOS */ --- vfs_syscalls.c.orig Mon Nov 15 23:25:48 1999 +++ vfs_syscalls.c Wed Nov 17 19:53:32 1999 @@ -1677,6 +1677,8 @@ nsb->st_blksize = sb->st_blksize; nsb->st_flags = sb->st_flags; nsb->st_gen = sb->st_gen; + nsb->st_qspare[0] = sb->st_qspare[0]; + nsb->st_qspare[1] = sb->st_qspare[1]; } #ifndef _SYS_SYSPROTO_H_ --- vfs_vnops.c.orig Wed Nov 17 19:42:30 1999 +++ vfs_vnops.c Wed Nov 17 19:54:28 1999 @@ -375,6 +375,14 @@ error = VOP_GETATTR(vp, vap, p->p_ucred, p); if (error) return (error); + + /* + * Zero the spare stat fields + */ + sb->st_lspare = 0; + sb->st_qspare[0] = 0; + sb->st_qspare[1] = 0; + /* * Copy from vattr table */ >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911180116.UAA18313>