git: d3aef2d8fc89 - stable/11 - Avoid kernel stack disclosure in compat32 stat
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Mar 2022 20:18:36 UTC
The branch stable/11 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=d3aef2d8fc89def105f84dca7f35a901d861539c
commit d3aef2d8fc89def105f84dca7f35a901d861539c
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2022-03-29 14:48:00 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-03-29 20:18:07 +0000
Avoid kernel stack disclosure in compat32 stat
copy_stat and copy_ostat used by 32-bit compat *stat calls left spare
and padding bytes uninitialized.
This issue does not exist in stable/12 and later as it was incidentally
addressed as part of the 64-bit inode project.
Reported by: Reno Robert of Trend Micro Zero Day Initiative
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34706
---
sys/compat/freebsd32/freebsd32_misc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c
index d19050944aae..81fed2a8fc4e 100644
--- a/sys/compat/freebsd32/freebsd32_misc.c
+++ b/sys/compat/freebsd32/freebsd32_misc.c
@@ -1780,6 +1780,7 @@ static void
copy_stat(struct stat *in, struct stat32 *out)
{
+ bzero(out, sizeof(*out));
CP(*in, *out, st_dev);
CP(*in, *out, st_ino);
CP(*in, *out, st_mode);
@@ -1803,6 +1804,7 @@ static void
copy_ostat(struct stat *in, struct ostat32 *out)
{
+ bzero(out, sizeof(*out));
CP(*in, *out, st_dev);
CP(*in, *out, st_ino);
CP(*in, *out, st_mode);