Zero the structures before calling the machdep routines that fill them
out. For good measure, ensure that those routines zero unused fields:
they might end up getting used in some other sensitive context (e.g.,
Linux ptrace emulation).
Details
Details
- Reviewers
jhb kib - Commits
- rS341442: Plug memory disclosures via ptrace(2).
Diff Detail
Diff Detail
- Lint
Lint Passed - Unit
No Test Coverage - Build Status
Buildable 21336 Build 20666: arc lint + arc unit
Event Timeline
sys/kern/sys_process.c | ||
---|---|---|
597 | So you zero-out struct reg before calling into MD code. Then why would we need to explicitly set r_err and r_trapno ? Might be for procfs, but isn't it better to clear at top-level in procfs too ? getcontext() seems to be immune to trapno/err leak for the same reason, top-level code clears the ucontext_t at start, and same is done for sigcontext. |
sys/kern/sys_process.c | ||
---|---|---|
597 | I tried to explain the motivation in the description: I wanted to try and protect other (future) consumers of the interface. I did not catch procfs, for instance. I agree that the explicit zeroing is preferable there, though, and will fix it too. If you still prefer to limit the zeroing to sys_ptrace() itself and procfs, I don't insist on modifying the machdep code. |