git: 99d5ee8738a3 - stable/14 - ktrace: Fix uninitialized memory disclosure
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 20 Jan 2025 22:09:53 UTC
The branch stable/14 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=99d5ee8738a354e0d8f12453a82ed87e47bd62f1
commit 99d5ee8738a354e0d8f12453a82ed87e47bd62f1
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-01-20 13:50:04 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-01-20 22:08:45 +0000
ktrace: Fix uninitialized memory disclosure
The sockaddr passed to ktrcapfail() may be smaller than
sizeof(struct sockaddr), and the trailing bytes in the sockaddr
structure will be uninitialized, whereupon they get copied out to
userspace.
PR: 283673
Reviewed by: jfree, emaste
Reported by: Yichen Chai <yichen.chai@gmail.com>
Reported by: Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
Fixes: 9bec84131215 ("ktrace: Record detailed ECAPMODE violations")
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D48499
(cherry picked from commit 5b86888bae651e54ccc0adde0ed897ec1c1e0d45)
---
sys/kern/kern_ktrace.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 1c6a2ae01f3d..2b311f2d36dc 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -958,9 +958,16 @@ ktrcapfail(enum ktr_cap_violation type, const void *data)
case CAPFAIL_PROTO:
kcd->cap_int = *(const int *)data;
break;
- case CAPFAIL_SOCKADDR:
- kcd->cap_sockaddr = *(const struct sockaddr *)data;
+ case CAPFAIL_SOCKADDR: {
+ size_t len;
+
+ len = MIN(((const struct sockaddr *)data)->sa_len,
+ sizeof(kcd->cap_sockaddr));
+ memset(&kcd->cap_sockaddr, 0,
+ sizeof(kcd->cap_sockaddr));
+ memcpy(&kcd->cap_sockaddr, data, len);
break;
+ }
case CAPFAIL_NAMEI:
strlcpy(kcd->cap_path, data, MAXPATHLEN);
break;