Bug 214488 - mqueuefs mq_setattr() leaks stack memory
Summary: mqueuefs mq_setattr() leaks stack memory
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: Konstantin Belousov
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2016-11-13 22:22 UTC by Vlad Tsyrklevich
Modified: 2016-12-04 22:03 UTC (History)
3 users (show)

See Also:
koobs: mfc-stable11?
koobs: mfc-stable10?
koobs: mfc-stable9?


Attachments
Example trigger (614 bytes, text/x-csrc)
2016-11-13 22:22 UTC, Vlad Tsyrklevich
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad Tsyrklevich 2016-11-13 22:22:50 UTC
Created attachment 176971 [details]
Example trigger

In kern/uipc_mqueue.c, sys_kmq_setattr() calls kern_kmq_setattr() to fill out a struct mq_attr before copying it back to userland; however, kern_kmq_setattr() does not zero the struct or clear the __reserved field, leaking 4 words worth of uninitialized stack memory. The same goes for freebsd32_kmq_setattr except it's mq_attr_to32() that does not clear __reserved in struct mq_attr32.

The mqueuefs kernel module needs to be loaded to reach this code. Example code is attached to dump leaked memory.
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-11-14 13:20:47 UTC
A commit references this bug:

Author: kib
Date: Mon Nov 14 13:20:10 UTC 2016
New revision: 308642
URL: https://svnweb.freebsd.org/changeset/base/308642

Log:
  Initialize reserved bytes in struct mq_attr and its 32compat
  counterpart, to avoid kernel stack content leak in kmq_setattr(2)
  syscall.  Also slightly simplify the checks around copyout()s.

  Reported by:	Vlad Tsyrklevich <vlad902+spam@gmail.com>
  PR:	214488
  MFC after:	1 week

Changes:
  head/sys/kern/uipc_mqueue.c
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-11-15 14:16:40 UTC
Assign to committer resolving. Pending MFC
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2016-11-15 14:17:31 UTC
@Konstantin If this needs an SA or other post-commit actions, please re-assign as necessary.
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-11-21 10:45:19 UTC
A commit references this bug:

Author: kib
Date: Mon Nov 21 10:44:40 UTC 2016
New revision: 308918
URL: https://svnweb.freebsd.org/changeset/base/308918

Log:
  MFC r308642:
  Initialize reserved bytes in struct mq_attr.

  PR:	214488

Changes:
_U  stable/11/
  stable/11/sys/kern/uipc_mqueue.c
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-11-21 10:48:22 UTC
A commit references this bug:

Author: kib
Date: Mon Nov 21 10:47:38 UTC 2016
New revision: 308919
URL: https://svnweb.freebsd.org/changeset/base/308919

Log:
  MFC r308642:
  Initialize reserved bytes in struct mq_attr.

  PR:	214488

Changes:
_U  stable/10/
  stable/10/sys/kern/uipc_mqueue.c
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-11-21 10:50:24 UTC
A commit references this bug:

Author: kib
Date: Mon Nov 21 10:49:37 UTC 2016
New revision: 308920
URL: https://svnweb.freebsd.org/changeset/base/308920

Log:
  MFC r308642:
  Initialize reserved bytes in struct mq_attr.

  PR:	214488

Changes:
_U  stable/9/
_U  stable/9/sys/
  stable/9/sys/kern/uipc_mqueue.c