kern/163098: ktrace leak & fix
Loganaden Velvindron
loganaden at devio.us
Tue Dec 6 20:10:09 UTC 2011
>Number: 163098
>Category: kern
>Synopsis: ktrace leak & fix
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 06 20:10:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Loganaden Velvindron
>Release: 8.2
>Organization:
devio.us
>Environment:
>Description:
djm at openbsd : The issue was that the syscall wrapper did not clear retval when
an error occurs in the syscall itself. retval was being passed back
to ktrace, and could leak some kernel stack (e.g. via ptrace PT_READ*).
>How-To-Repeat:
>Fix:
Index: src/sys/kern/kern_ktrace.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_ktrace.c,v
retrieving revision 1.130.2.2.4.1
diff -u -p -r1.130.2.2.4.1 kern_ktrace.c
--- src/sys/kern/kern_ktrace.c 21 Dec 2010 17:09:25 -0000 1.130.2.2.4.1
+++ src/sys/kern/kern_ktrace.c 3 Dec 2011 19:22:13 -0000
@@ -426,7 +426,7 @@ ktrsysret(code, error, retval)
ktp = &req->ktr_data.ktr_sysret;
ktp->ktr_code = code;
ktp->ktr_error = error;
- ktp->ktr_retval = retval; /* what about val2 ? */
+ ktp->ktr_retval = error == 0 ? retval: 0; /* what about val2 ? */
ktr_submitrequest(curthread, req);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list