Page MenuHomeFreeBSD

Fix memory disclosures from ptrace(PT_GET*REGS).
ClosedPublic

Authored by markj on Dec 3 2018, 4:29 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 24, 4:41 PM
Unknown Object (File)
Sun, Nov 24, 2:29 PM
Unknown Object (File)
Sat, Nov 23, 4:49 PM
Unknown Object (File)
Fri, Nov 22, 5:33 PM
Unknown Object (File)
Fri, Nov 22, 4:20 PM
Unknown Object (File)
Fri, Nov 22, 11:28 AM
Unknown Object (File)
Tue, Nov 19, 6:06 PM
Unknown Object (File)
Tue, Nov 19, 5:49 PM
Subscribers

Details

Summary

Zero the structures before calling the machdep routines that fill them
out. For good measure, ensure that those routines zero unused fields:
they might end up getting used in some other sensitive context (e.g.,
Linux ptrace emulation).

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 21336
Build 20666: arc lint + arc unit

Event Timeline

sys/kern/sys_process.c
597

So you zero-out struct reg before calling into MD code. Then why would we need to explicitly set r_err and r_trapno ? Might be for procfs, but isn't it better to clear at top-level in procfs too ?

getcontext() seems to be immune to trapno/err leak for the same reason, top-level code clears the ucontext_t at start, and same is done for sigcontext.

markj marked an inline comment as done.Dec 3 2018, 5:27 PM
markj added inline comments.
sys/kern/sys_process.c
597

I tried to explain the motivation in the description: I wanted to try and protect other (future) consumers of the interface. I did not catch procfs, for instance. I agree that the explicit zeroing is preferable there, though, and will fix it too. If you still prefer to limit the zeroing to sys_ptrace() itself and procfs, I don't insist on modifying the machdep code.

  • Zero out reg structs in procfs too.

Explicitly bzero 32bit compat register structures in sys_ptrace().

This revision is now accepted and ready to land.Dec 3 2018, 5:52 PM
This revision was automatically updated to reflect the committed changes.