dev:md: A kernel address leakage in sys/dev/md/md.c
Fuqian Huang
huangfq.daxian at gmail.com
Thu Jun 13 06:52:37 UTC 2019
In freebsd/sys/dev/md/md.c
if the kernel is created with option MD_ROOT,
g_md_init will call md_preload and use mfs_root as the image.
In function md_preload, address of image will be printed out,
in this case, the address of image is the address of a global object mfs_root.
A kernel address leakage happens.
Patch suggestion: use macro like #ifdef DEBUG to wrap the printf statement.
u_char mfs_root[MD_ROOT_SIZE*1024] __attribute__ ((section("oldmfs")));
static void
g_md_init(struct g_class *mp __unused)
{
...
#ifdef MD_ROOT
...
#ifdef MD_ROOT_MEM
md_preload(mfs_root, mfs_root_size, NULL);
#else
md_preload(__DEVOLATILE(u_char *, &mfs_root), mfs_root_size,
NULL);
#endif
...
#endif
}
static void
md_preload(u_char *image, size_t length, const char *name)
{
...
if (name != NULL) {
printf("%s%d: Preloaded image <%s> %zd bytes at %p\n",
MD_NAME, sc->unit, name, length, image);
} else {
printf("%s%d: Embedded image %zd bytes at %p\n",
MD_NAME, sc->unit, length, image);
}
}
More information about the freebsd-hackers
mailing list