git: b6be9566d236 - main - Fix buffer overflow in preloaded hostuuid cleaning

Colin Percival cperciva at FreeBSD.org
Tue May 18 03:08:19 UTC 2021 

The branch main has been updated by cperciva:

URL: https://cgit.FreeBSD.org/src/commit/?id=b6be9566d236f83ad1a44170a64b9a34e382eafa

commit b6be9566d236f83ad1a44170a64b9a34e382eafa
Author:     Colin Percival <cperciva at FreeBSD.org>
AuthorDate: 2021-05-14 18:07:37 +0000
Commit:     Colin Percival <cperciva at FreeBSD.org>
CommitDate: 2021-05-18 03:07:49 +0000

    Fix buffer overflow in preloaded hostuuid cleaning
    
    When a module of type "hostuuid" is provided by the loader,
    prison0_init strips any trailing whitespace and ASCII control
    characters by (a) adjusting the buffer length, and (b) zeroing out
    the characters in question, before storing it as the system's
    hostuuid.
    
    The buffer length adjustment was correct, but the zeroing overwrote
    one byte higher in memory than intended -- in the typical case,
    zeroing one byte past the end of the hostuuid buffer.  Due to the
    layout of buffers passed by the boot loader to the kernel, this will
    be the first byte of a subsequent buffer.
    
    This was *probably* harmless; prison0_init runs after preloaded kernel
    modules have been linked and after the preloaded /boot/entropy cache
    has been processed, so in both cases having the first byte overwritten
    will not cause problems.  We cannot however rule out the possibility
    that other objects which are preloaded by the loader could suffer from
    having the first byte overwritten.
    
    Since the zeroing does not in fact serve any purpose, remove it and
    trim trailing whitespace and ASCII control characters by adjusting
    the buffer length alone.
    
    Fixes:          c3188289 Preload hostuuid for early-boot use
    Reviewed by:    kevans, markj
    MFC after:      3 days
---
 sys/kern/kern_jail.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index f4cd6bd38d35..303e31490eb1 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -257,7 +257,7 @@ prison0_init(void)
 			 * non-printable characters to be safe.
 			 */
 			while (size > 0 && data[size - 1] <= 0x20) {
-				data[size--] = '\0';
+				size--;
 			}
 			if (validate_uuid(data, size, NULL, 0) == 0) {
 				(void)strlcpy(prison0.pr_hostuuid, data,

More information about the dev-commits-src-all mailing list