HomeFreeBSD
Diffusion FreeBSD src repository f90cd1ae30b5

Clear non-x86 compat stat syscall kernel stack memory disclosure
f90cd1ae30b5
Actions

Description

Clear non-x86 compat stat syscall kernel stack memory disclosure

32-bit architectures other than i386 have 64-bit time_t which results
in a struct timespec with 12 bytes for tv_sec and tv_nsec, and 4 bytes
of padding. Zero the padding holes in struct stat32 and struct
freebsd11_stat32.

i386 has 32-bit time_t; struct timespec is 8 bytes and has no padding.

Found by inspection, prompted by a report by Reno Robert of Trend Micro
Zero Day Initiative. The originally reported issue (ZDI-CAN-14538) is
already fixed in all supported FreeBSD versions (it was addressed
incidentally as part of the 64-bit inode project).

Reviewed by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D34709

Details

Provenance
emasteAuthored on Mar 29 2022, 5:55 PM
Reviewer
markj
Differential Revision
Restricted Differential Revision
Parents
rGe123e2294cb5: pf: guard against DIOCADDRULE without DIOCXBEGIN
Branches
Unknown
Tags
Unknown

Event Timeline

emaste committed rGf90cd1ae30b5: Clear non-x86 compat stat syscall kernel stack memory disclosure (authored by emaste).Mar 29 2022, 8:10 PM
emaste added an edge: Restricted Differential Revision.Mar 29 2022, 8:15 PM
emaste mentioned this in D29923: arm: add a release conf for distribution files.Mar 30 2022, 1:46 AM
emaste mentioned this in rGccd701d27a74: Clear non-x86 compat stat syscall kernel stack memory disclosure.Mar 30 2022, 2:27 AM
emaste mentioned this in rG015991cb9715: Clear non-x86 compat stat syscall kernel stack memory disclosure.Mar 30 2022, 3:09 AM
emaste mentioned this in D34712: compat32: add size CTASSERTs for non-amd64 cases.Mar 30 2022, 3:32 PM
arichardson added a subscriber: arichardson.Mar 30 2022, 6:45 PM
arichardson added inline comments.
/sys/compat/freebsd32/freebsd32_misc.c
2185

Wouldn't it be easier to zero the entire struct and rely on the compiler optimizing the redundant zeroing away? Not 100% certain it will, there might be some threshold of number of analyzed stores.

emaste added inline comments.Mar 30 2022, 6:56 PM
/sys/compat/freebsd32/freebsd32_misc.c
2185

There's a few different approaches we could take and we can iterate on it in main. In fact I think we can avoid copy_stat entirely on little-endian 64-bit architectures other than x86, as I believe struct stat and struct stat32 have the same layout except that the upper bits of tv_nsec in stat are padding in stat32.

Changes (1)

PathSize
sys/
compat/
freebsd32/

rGf90cd1ae30b5

View Options

sys/compat/freebsd32/freebsd32_misc.c

Loading...