kern/158880: bpf_filter() can leak kernel stack contents

Guy Harris guy at
Thu Jul 14 00:50:09 UTC 2011

>Number:         158880
>Category:       kern
>Synopsis:       bpf_filter() can leak kernel stack contents
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 14 00:50:08 UTC 2011
>Originator:     Guy Harris
>Release:        Any
N/A (problem found by looking at OpenBSD's source repository)

That's Linux's BPF interpreter, but the same problem exists with the *BSD BPF interpreter:;r2=1.22;content-type=text%2Fx-cvsweb-markup

A little more work, as BSD's BPF interpreter isn't supported on arbitrary sockets, just on BPF devices, but you could probably try to cook something interesting up.
Add a bzero() or memset(..., 0, ...) to zero out the men array early in bpf_filter().


More information about the freebsd-bugs mailing list