git: 5b86888bae65 - main - ktrace: Fix uninitialized memory disclosure
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 20 Jan 2025 13:55:13 UTC
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=5b86888bae651e54ccc0adde0ed897ec1c1e0d45
commit 5b86888bae651e54ccc0adde0ed897ec1c1e0d45
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-01-20 13:50:04 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-01-20 13:54:49 +0000
ktrace: Fix uninitialized memory disclosure
The sockaddr passed to ktrcapfail() may be smaller than
sizeof(struct sockaddr), and the trailing bytes in the sockaddr
structure will be uninitialized, whereupon they get copied out to
userspace.
PR: 283673
Reviewed by: jfree, emaste
Reported by: Yichen Chai <yichen.chai@gmail.com>
Reported by: Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk>
Fixes: 9bec84131215 ("ktrace: Record detailed ECAPMODE violations")
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D48499
---
sys/kern/kern_ktrace.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c
index 7a31fe234cb5..a67b773a154c 100644
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@@ -973,9 +973,16 @@ ktrcapfail(enum ktr_cap_violation type, const void *data)
case CAPFAIL_PROTO:
kcd->cap_int = *(const int *)data;
break;
- case CAPFAIL_SOCKADDR:
- kcd->cap_sockaddr = *(const struct sockaddr *)data;
+ case CAPFAIL_SOCKADDR: {
+ size_t len;
+
+ len = MIN(((const struct sockaddr *)data)->sa_len,
+ sizeof(kcd->cap_sockaddr));
+ memset(&kcd->cap_sockaddr, 0,
+ sizeof(kcd->cap_sockaddr));
+ memcpy(&kcd->cap_sockaddr, data, len);
break;
+ }
case CAPFAIL_NAMEI:
strlcpy(kcd->cap_path, data, MAXPATHLEN);
break;