From nobody Mon Jan 20 22:09:53 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YcPdt0XdPz5l2W2; Mon, 20 Jan 2025 22:09:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YcPds6vyfz4LTX; Mon, 20 Jan 2025 22:09:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737410994; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P/QVT99ZWnhfRXpxzZeAt4fYdM8P0QU6JBan/8f0Ybo=; b=UA2zXHCv6DwG17mfaDRCfg7j2velq+TWAwHhEWOt16iwGm8qQrj4MdolaSYhQePybz++OJ SKO0Ub3aplXrcGkOB5+KNVg/7+Rfz3ulFyF3GaJP1R+TBnwHs9VsM5kQYzK5z/GWu+IZc6 EGWk7Yxf3Q5iKr6c3UMWKLWfqZNqH5m/5sCHAVDo773WKqBSDBRH7YY19kMsMWBX6nu/aQ JNP6LoYcgtzKKbMvAtDr/Nerzw+XBBxvgaiBG/BY21x/UajFXhuYMSiFHrnAqYVL46sQwm rKF+i609j3NnBfk1Q37QOW+PiG1nQBJ7QPN1cTNNthnJAllmbOrOHto32G43Wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737410994; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P/QVT99ZWnhfRXpxzZeAt4fYdM8P0QU6JBan/8f0Ybo=; b=F1RbjIZs+wIEgpKa7Vz3TvipXn+Y+BkoxUUNN62XY3ujQY4CHs/57MJ55QHhekwZrrxe8B TQe+IKNwFC7Hf9OBFlZ/x1kH/Lo0QOytFcpq3aEriLQVjODzjKwAdZRH4hidsRLkOMdRVI WhWLsJVsiAHNvtDyBk1LE6gnWGdiG4mDEXopgKmINvPvj1BToWdpPTNW0fhBMlblIdpSiO oDsS7GhqbJ/oFgNskVwLp44oShFtacz2iUNa0df2o45ime3I619uTYoRkoPrnoMpUj9IA/ odCm8wUtHqveokb5yXC/tLuy7plxCOEUFKXdLwtN4JnA3Ms5ram7loZb7xDB+A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737410994; a=rsa-sha256; cv=none; b=E1IkG9Lzt8HcYHElgdBAjwgLXa2DFsX7D4+2tBfTZabIHxRax+sv1HQis7uAd1UCI+aEML U9ptXRhBe8O4tkRZj7htYLDCK12rSAZDEnILyEJtLFdHlQBanbQsvFUD3pEPAe1lkWmF7+ 3/3x9zLu1mynPU9/T3XhhS4D0UqlfPLFz9o5WiCrJdDgGP1LmAAP8OAeYaxUTVxXemK1nn R4SJP98HQsx7AquJvOlQdk5YXFuCuYj3ALNu5AIgRGrIaQvTK9bTi1fLwXG6dzRCDznU2N 265Pp2eXj31u4P/KWe3qG/+AqY0lm8yWy/kCyB459taB4qcP7PPXH4WI4IRlVQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YcPds6KBWzffH; Mon, 20 Jan 2025 22:09:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50KM9rLs052406; Mon, 20 Jan 2025 22:09:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50KM9rSw052403; Mon, 20 Jan 2025 22:09:53 GMT (envelope-from git) Date: Mon, 20 Jan 2025 22:09:53 GMT Message-Id: <202501202209.50KM9rSw052403@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 99d5ee8738a3 - stable/14 - ktrace: Fix uninitialized memory disclosure List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 99d5ee8738a354e0d8f12453a82ed87e47bd62f1 Auto-Submitted: auto-generated The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=99d5ee8738a354e0d8f12453a82ed87e47bd62f1 commit 99d5ee8738a354e0d8f12453a82ed87e47bd62f1 Author: Mark Johnston AuthorDate: 2025-01-20 13:50:04 +0000 Commit: Mark Johnston CommitDate: 2025-01-20 22:08:45 +0000 ktrace: Fix uninitialized memory disclosure The sockaddr passed to ktrcapfail() may be smaller than sizeof(struct sockaddr), and the trailing bytes in the sockaddr structure will be uninitialized, whereupon they get copied out to userspace. PR: 283673 Reviewed by: jfree, emaste Reported by: Yichen Chai Reported by: Zhuo Ying Jiang Li Fixes: 9bec84131215 ("ktrace: Record detailed ECAPMODE violations") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D48499 (cherry picked from commit 5b86888bae651e54ccc0adde0ed897ec1c1e0d45) --- sys/kern/kern_ktrace.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 1c6a2ae01f3d..2b311f2d36dc 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -958,9 +958,16 @@ ktrcapfail(enum ktr_cap_violation type, const void *data) case CAPFAIL_PROTO: kcd->cap_int = *(const int *)data; break; - case CAPFAIL_SOCKADDR: - kcd->cap_sockaddr = *(const struct sockaddr *)data; + case CAPFAIL_SOCKADDR: { + size_t len; + + len = MIN(((const struct sockaddr *)data)->sa_len, + sizeof(kcd->cap_sockaddr)); + memset(&kcd->cap_sockaddr, 0, + sizeof(kcd->cap_sockaddr)); + memcpy(&kcd->cap_sockaddr, data, len); break; + } case CAPFAIL_NAMEI: strlcpy(kcd->cap_path, data, MAXPATHLEN); break;