Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/compat Fix three stack info leaks, found by kMSan when j...



details:   https://anonhg.NetBSD.org/src/rev/2f1e30b33c35
branches:  trunk
changeset: 1006096:2f1e30b33c35
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Jan 01 14:52:38 2020 +0000

description:
Fix three stack info leaks, found by kMSan when just invoking all syscalls
with a zero page as argument.

MSan: Uninitialized Stack Memory In copyout() At Offset 0, Variable 'sb32' From compat_20_netbsd32_getfsstat()
MSan: Uninitialized Stack Memory In copyout() At Offset 12, Variable 'oss' From compat_43_sys_sigstack()
MSan: Uninitialized Stack Memory In copyout() At Offset 0, Variable 'sb' From compat_50_netbsd32___fhstat40()

diffstat:

 sys/compat/common/kern_sig_43.c          |  5 +++--
 sys/compat/netbsd32/netbsd32_compat_20.c |  5 +++--
 sys/compat/netbsd32/netbsd32_compat_50.c |  8 ++++----
 3 files changed, 10 insertions(+), 8 deletions(-)

diffs (82 lines):

diff -r 2756535c626e -r 2f1e30b33c35 sys/compat/common/kern_sig_43.c
--- a/sys/compat/common/kern_sig_43.c   Wed Jan 01 14:33:48 2020 +0000
+++ b/sys/compat/common/kern_sig_43.c   Wed Jan 01 14:52:38 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_sig_43.c,v 1.35 2019/01/27 02:08:39 pgoyette Exp $        */
+/*     $NetBSD: kern_sig_43.c,v 1.36 2020/01/01 14:52:38 maxv Exp $    */
 
 /*-
  * Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_sig_43.c,v 1.35 2019/01/27 02:08:39 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_sig_43.c,v 1.36 2020/01/01 14:52:38 maxv Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -128,6 +128,7 @@
 void
 compat_43_sigaltstack_to_sigstack(const struct sigaltstack *sa, struct sigstack *ss)
 {
+       memset(ss, 0, sizeof(*ss));
        ss->ss_sp = sa->ss_sp;
        if (sa->ss_flags & SS_ONSTACK)
                ss->ss_onstack = 1;
diff -r 2756535c626e -r 2f1e30b33c35 sys/compat/netbsd32/netbsd32_compat_20.c
--- a/sys/compat/netbsd32/netbsd32_compat_20.c  Wed Jan 01 14:33:48 2020 +0000
+++ b/sys/compat/netbsd32/netbsd32_compat_20.c  Wed Jan 01 14:52:38 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_compat_20.c,v 1.38 2019/01/27 02:08:40 pgoyette Exp $ */
+/*     $NetBSD: netbsd32_compat_20.c,v 1.39 2020/01/01 14:52:38 maxv Exp $     */
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_20.c,v 1.38 2019/01/27 02:08:40 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_20.c,v 1.39 2020/01/01 14:52:38 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -57,6 +57,7 @@
 static inline void
 compat_20_netbsd32_from_statvfs(struct statvfs *sbp, struct netbsd32_statfs *sb32p)
 {
+       sb32p->f_type = 0; /* XXX Put an actual value? */
        sb32p->f_flags = sbp->f_flag;
        sb32p->f_bsize = (netbsd32_long)sbp->f_bsize;
        sb32p->f_iosize = (netbsd32_long)sbp->f_iosize;
diff -r 2756535c626e -r 2f1e30b33c35 sys/compat/netbsd32/netbsd32_compat_50.c
--- a/sys/compat/netbsd32/netbsd32_compat_50.c  Wed Jan 01 14:33:48 2020 +0000
+++ b/sys/compat/netbsd32/netbsd32_compat_50.c  Wed Jan 01 14:52:38 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_compat_50.c,v 1.43 2019/12/15 16:48:26 tsutsui Exp $  */
+/*     $NetBSD: netbsd32_compat_50.c,v 1.44 2020/01/01 14:52:38 maxv Exp $     */
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -29,7 +29,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_50.c,v 1.43 2019/12/15 16:48:26 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_compat_50.c,v 1.44 2020/01/01 14:52:38 maxv Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -803,9 +803,9 @@
        int error;
 
        error = do_fhstat(l, SCARG_P32(uap, fhp), SCARG(uap, fh_size), &sb);
-       if (error != 0) {
+       if (error == 0) {
                netbsd32_from___stat50(&sb, &sb32);
-               error = copyout(&sb32, SCARG_P32(uap, sb), sizeof(sb));
+               error = copyout(&sb32, SCARG_P32(uap, sb), sizeof(sb32));
        }
        return error;
 }



Home | Main Index | Thread Index | Old Index