Created attachment 176971 [details] Example trigger In kern/uipc_mqueue.c, sys_kmq_setattr() calls kern_kmq_setattr() to fill out a struct mq_attr before copying it back to userland; however, kern_kmq_setattr() does not zero the struct or clear the __reserved field, leaking 4 words worth of uninitialized stack memory. The same goes for freebsd32_kmq_setattr except it's mq_attr_to32() that does not clear __reserved in struct mq_attr32. The mqueuefs kernel module needs to be loaded to reach this code. Example code is attached to dump leaked memory.
A commit references this bug: Author: kib Date: Mon Nov 14 13:20:10 UTC 2016 New revision: 308642 URL: https://svnweb.freebsd.org/changeset/base/308642 Log: Initialize reserved bytes in struct mq_attr and its 32compat counterpart, to avoid kernel stack content leak in kmq_setattr(2) syscall. Also slightly simplify the checks around copyout()s. Reported by: Vlad Tsyrklevich <vlad902+spam@gmail.com> PR: 214488 MFC after: 1 week Changes: head/sys/kern/uipc_mqueue.c
Assign to committer resolving. Pending MFC
@Konstantin If this needs an SA or other post-commit actions, please re-assign as necessary.
A commit references this bug: Author: kib Date: Mon Nov 21 10:44:40 UTC 2016 New revision: 308918 URL: https://svnweb.freebsd.org/changeset/base/308918 Log: MFC r308642: Initialize reserved bytes in struct mq_attr. PR: 214488 Changes: _U stable/11/ stable/11/sys/kern/uipc_mqueue.c
A commit references this bug: Author: kib Date: Mon Nov 21 10:47:38 UTC 2016 New revision: 308919 URL: https://svnweb.freebsd.org/changeset/base/308919 Log: MFC r308642: Initialize reserved bytes in struct mq_attr. PR: 214488 Changes: _U stable/10/ stable/10/sys/kern/uipc_mqueue.c
A commit references this bug: Author: kib Date: Mon Nov 21 10:49:37 UTC 2016 New revision: 308920 URL: https://svnweb.freebsd.org/changeset/base/308920 Log: MFC r308642: Initialize reserved bytes in struct mq_attr. PR: 214488 Changes: _U stable/9/ _U stable/9/sys/ stable/9/sys/kern/uipc_mqueue.c