Fix memory disclosures from ptrace(PT_GET*REGS).
ClosedPublic
Actions

Authored by markj on Dec 3 2018, 4:29 PM.

Details

Reviewers

jhb
kib

Commits

rS341442: Plug memory disclosures via ptrace(2).

Summary

Zero the structures before calling the machdep routines that fill them
out. For good measure, ensure that those routines zero unused fields:
they might end up getting used in some other sensitive context (e.g.,
Linux ptrace emulation).

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Dec 3 2018, 4:29 PM

Harbormaster completed remote builds in B21333: Diff 51533.Dec 3 2018, 4:29 PM

markj added reviewers: jhb, kib.Dec 3 2018, 4:33 PM

kib added inline comments.Dec 3 2018, 5:18 PM

sys/kern/sys_process.c
597 ↗	(On Diff #51533)	So you zero-out struct reg before calling into MD code. Then why would we need to explicitly set r_err and r_trapno ? Might be for procfs, but isn't it better to clear at top-level in procfs too ? getcontext() seems to be immune to trapno/err leak for the same reason, top-level code clears the ucontext_t at start, and same is done for sigcontext.

markj marked an inline comment as done.Dec 3 2018, 5:27 PM

markj added inline comments.

sys/kern/sys_process.c
597 ↗	(On Diff #51533)	I tried to explain the motivation in the description: I wanted to try and protect other (future) consumers of the interface. I did not catch procfs, for instance. I agree that the explicit zeroing is preferable there, though, and will fix it too. If you still prefer to limit the zeroing to sys_ptrace() itself and procfs, I don't insist on modifying the machdep code.