Bug 214488

Summary: mqueuefs mq_setattr() leaks stack memory
Product: Base System Reporter: Vlad Tsyrklevich <vlad902+spam>
Component: kernAssignee: Konstantin Belousov <kib>
Status: Closed FIXED    
Severity: Affects Only Me CC: op, secteam, security
Priority: --- Keywords: security
Version: CURRENTFlags: koobs: mfc-stable11?
koobs: mfc-stable10?
koobs: mfc-stable9?
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Example trigger none

Description Vlad Tsyrklevich 2016-11-13 22:22:50 UTC
Created attachment 176971 [details]
Example trigger

In kern/uipc_mqueue.c, sys_kmq_setattr() calls kern_kmq_setattr() to fill out a struct mq_attr before copying it back to userland; however, kern_kmq_setattr() does not zero the struct or clear the __reserved field, leaking 4 words worth of uninitialized stack memory. The same goes for freebsd32_kmq_setattr except it's mq_attr_to32() that does not clear __reserved in struct mq_attr32.

The mqueuefs kernel module needs to be loaded to reach this code. Example code is attached to dump leaked memory.
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-11-14 13:20:47 UTC
A commit references this bug:

Author: kib
Date: Mon Nov 14 13:20:10 UTC 2016
New revision: 308642
URL: https://svnweb.freebsd.org/changeset/base/308642

Log:
  Initialize reserved bytes in struct mq_attr and its 32compat
  counterpart, to avoid kernel stack content leak in kmq_setattr(2)
  syscall.  Also slightly simplify the checks around copyout()s.

  Reported by:	Vlad Tsyrklevich <vlad902+spam@gmail.com>
  PR:	214488
  MFC after:	1 week

Changes:
  head/sys/kern/uipc_mqueue.c
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2016-11-15 14:16:40 UTC
Assign to committer resolving. Pending MFC
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2016-11-15 14:17:31 UTC
@Konstantin If this needs an SA or other post-commit actions, please re-assign as necessary.
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-11-21 10:45:19 UTC
A commit references this bug:

Author: kib
Date: Mon Nov 21 10:44:40 UTC 2016
New revision: 308918
URL: https://svnweb.freebsd.org/changeset/base/308918

Log:
  MFC r308642:
  Initialize reserved bytes in struct mq_attr.

  PR:	214488

Changes:
_U  stable/11/
  stable/11/sys/kern/uipc_mqueue.c
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-11-21 10:48:22 UTC
A commit references this bug:

Author: kib
Date: Mon Nov 21 10:47:38 UTC 2016
New revision: 308919
URL: https://svnweb.freebsd.org/changeset/base/308919

Log:
  MFC r308642:
  Initialize reserved bytes in struct mq_attr.

  PR:	214488

Changes:
_U  stable/10/
  stable/10/sys/kern/uipc_mqueue.c
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-11-21 10:50:24 UTC
A commit references this bug:

Author: kib
Date: Mon Nov 21 10:49:37 UTC 2016
New revision: 308920
URL: https://svnweb.freebsd.org/changeset/base/308920

Log:
  MFC r308642:
  Initialize reserved bytes in struct mq_attr.

  PR:	214488

Changes:
_U  stable/9/
_U  stable/9/sys/
  stable/9/sys/kern/uipc_mqueue.c