Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/ufs/ufs Zero out the padding in 'd_namlen', to prevent i...
details: https://anonhg.NetBSD.org/src/rev/e5f1fa824a0d
branches: trunk
changeset: 745254:e5f1fa824a0d
user: maxv <maxv%NetBSD.org@localhost>
date: Wed Feb 26 18:00:12 2020 +0000
description:
Zero out the padding in 'd_namlen', to prevent info leaks. Same logic as
ufs_makedirentry().
Found by kMSan: the unzeroed bytes of the pool_cache were getting copied
to the disk via a DMA write operation, and there kMSan was noticing
uninitialized memory leaving the system.
Reported-by: syzbot+382c9dffc06a9683abb5%syzkaller.appspotmail.com@localhost
diffstat:
sys/ufs/ufs/ufs_vnops.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diffs (31 lines):
diff -r c39f2415077f -r e5f1fa824a0d sys/ufs/ufs/ufs_vnops.c
--- a/sys/ufs/ufs/ufs_vnops.c Wed Feb 26 16:12:44 2020 +0000
+++ b/sys/ufs/ufs/ufs_vnops.c Wed Feb 26 18:00:12 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ufs_vnops.c,v 1.248 2019/09/18 17:59:15 christos Exp $ */
+/* $NetBSD: ufs_vnops.c,v 1.249 2020/02/26 18:00:12 maxv Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.248 2019/09/18 17:59:15 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.249 2020/02/26 18:00:12 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_ffs.h"
@@ -873,7 +873,11 @@
newdir->d_namlen = cnp->cn_namelen;
memcpy(newdir->d_name, cnp->cn_nameptr,
(size_t)cnp->cn_namelen);
- newdir->d_name[cnp->cn_namelen] = '\0';
+
+ /* NUL terminate and zero out padding */
+ memset(&newdir->d_name[cnp->cn_namelen], 0,
+ UFS_NAMEPAD(cnp->cn_namelen));
+
newdir->d_type = DT_WHT;
error = ufs_direnter(dvp, ulr, NULL, newdir, cnp, NULL);
pool_cache_put(ufs_direct_cache, newdir);
Home |
Main Index |
Thread Index |
Old Index