Date: Wed, 11 Aug 2021 01:13:42 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: ec95c1303332 - stable/13 - pf: Initialize arrays before copying out to userland Message-ID: <202108110113.17B1DgvZ026807@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=ec95c1303332ea3f157a61d696be8a1d3ec5d3b7 commit ec95c1303332ea3f157a61d696be8a1d3ec5d3b7 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-07-28 14:16:25 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-08-11 01:11:02 +0000 pf: Initialize arrays before copying out to userland A number of pf ioctls populate an array of structures and copy it out. They have the following structures: - caller specifies the size of its output buffer - ioctl handler allocates a kernel buffer of the same size - ioctl handler populates the buffer, possibly leaving some items initialized if the caller provided more space than needed - ioctl handler copies the entire buffer out to userland Thus, if more space was provided than is required, we end up copying out uninitialized kernel memory. Simply zero the buffer at allocation time to prevent this. Reported by: KMSAN Reviewed by: kp Sponsored by: The FreeBSD Foundation (cherry picked from commit 2b82c57e399700f5134c47d86d45ef2f2bd465e2) --- sys/netpfil/pf/pf_ioctl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 39931540d03d..6d2403bf213d 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -3811,7 +3811,7 @@ DIOCCHANGEADDR_error: totlen = io->pfrio_size * sizeof(struct pfr_table); pfrts = mallocarray(io->pfrio_size, sizeof(struct pfr_table), - M_TEMP, M_NOWAIT); + M_TEMP, M_NOWAIT | M_ZERO); if (pfrts == NULL) { error = ENOMEM; PF_RULES_RUNLOCK(); @@ -3849,7 +3849,7 @@ DIOCCHANGEADDR_error: totlen = io->pfrio_size * sizeof(struct pfr_tstats); pfrtstats = mallocarray(io->pfrio_size, - sizeof(struct pfr_tstats), M_TEMP, M_NOWAIT); + sizeof(struct pfr_tstats), M_TEMP, M_NOWAIT | M_ZERO); if (pfrtstats == NULL) { error = ENOMEM; PF_RULES_RUNLOCK(); @@ -4081,7 +4081,7 @@ DIOCCHANGEADDR_error: } totlen = io->pfrio_size * sizeof(struct pfr_addr); pfras = mallocarray(io->pfrio_size, sizeof(struct pfr_addr), - M_TEMP, M_WAITOK); + M_TEMP, M_WAITOK | M_ZERO); PF_RULES_RLOCK(); error = pfr_get_addrs(&io->pfrio_table, pfras, &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL); @@ -4109,7 +4109,7 @@ DIOCCHANGEADDR_error: } totlen = io->pfrio_size * sizeof(struct pfr_astats); pfrastats = mallocarray(io->pfrio_size, - sizeof(struct pfr_astats), M_TEMP, M_WAITOK); + sizeof(struct pfr_astats), M_TEMP, M_WAITOK | M_ZERO); PF_RULES_RLOCK(); error = pfr_get_astats(&io->pfrio_table, pfrastats, &io->pfrio_size, io->pfrio_flags | PFR_FLAG_USERIOCTL); @@ -4613,7 +4613,7 @@ DIOCCHANGEADDR_error: bufsiz = io->pfiio_size * sizeof(struct pfi_kif); ifstore = mallocarray(io->pfiio_size, sizeof(struct pfi_kif), - M_TEMP, M_WAITOK); + M_TEMP, M_WAITOK | M_ZERO); PF_RULES_RLOCK(); pfi_get_ifaces(io->pfiio_name, ifstore, &io->pfiio_size);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108110113.17B1DgvZ026807>