kern/158880: bpf_filter() can leak kernel stack contents
Guy Harris
guy at alum.mit.edu
Thu Jul 14 00:50:09 UTC 2011
>Number: 158880
>Category: kern
>Synopsis: bpf_filter() can leak kernel stack contents
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 14 00:50:08 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Guy Harris
>Release: Any
>Organization:
>Environment:
N/A (problem found by looking at OpenBSD's source repository)
>Description:
http://seclists.org/fulldisclosure/2010/Nov/89
That's Linux's BPF interpreter, but the same problem exists with the *BSD BPF interpreter:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf_filter.c.diff?r1=1.21;r2=1.22
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf_filter.c?rev=1.22;content-type=text%2Fx-cvsweb-markup
>How-To-Repeat:
A little more work, as BSD's BPF interpreter isn't supported on arbitrary sockets, just on BPF devices, but you could probably try to cook something interesting up.
>Fix:
Add a bzero() or memset(..., 0, ...) to zero out the men array early in bpf_filter().
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list