Bug 237922 - Kernel stack disclosure in function freebsd32_swapcontext of sys/arm64/arm64/freebsd32_machdep.c
Summary: Kernel stack disclosure in function freebsd32_swapcontext of sys/arm64/arm64/...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: arm64 Any
: Normal Affects Many People
Assignee: Konstantin Belousov
URL: https://github.com/freebsd/freebsd/co...
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-05-16 11:59 UTC by Young
Modified: 2019-12-15 18:07 UTC (History)
5 users (show)

See Also:
emaste: mfc-stable12-
emaste: mfc-stable11-


Attachments
Proposed patch (934 bytes, patch)
2019-05-16 12:11 UTC, Young
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Young 2019-05-16 11:59:02 UTC
There is a kernel stack disclosure vulnerability in function freebsd32_swapcontext of sys/arm64/arm64/freebsd32_machdep.c.


int
freebsd32_swapcontext(struct thread *td, struct freebsd32_swapcontext_args *uap)
{
        ucontext32_t uc;
        int ret;

        if (uap->oucp == NULL || uap->ucp == NULL)
                ret = EINVAL;
        else {
+               bzero(&uc, sizeof(uc));
                get_mcontext32(td, &uc.uc_mcontext, GET_MC_CLEAR_RET);
                PROC_LOCK(td->td_proc);
                uc.uc_sigmask = td->td_sigmask;
                PROC_UNLOCK(td->td_proc);
                ret = copyout(&uc, uap->oucp, UC32_COPY_SIZE);
                if (ret == 0) {
                        ret = copyin(uap->ucp, &uc, UC32_COPY_SIZE);
                        if (ret == 0) {
                                ret = set_mcontext32(td, &uc.uc_mcontext);
                                kern_sigprocmask(td, SIG_SETMASK,
                                                &uc.uc_sigmask, NULL, 0);
                        }
                }
        }
        return (ret);
}

There is no initialization in else branch, which can lead to leaking stack information to user space. This is the vulnerability that are same with CVE-2018-17155 which was fixed in https://github.com/freebsd/freebsd/commit/ca2c73670f229fe64818fd64c8cdd5b517912966.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2019-05-16 12:06:31 UTC
Thank you for your report. Could you include your proposed patch an attachment please?
Comment 2 Young 2019-05-16 12:11:03 UTC
Created attachment 204399 [details]
Proposed patch
Comment 3 commit-hook freebsd_committer 2019-05-16 13:01:06 UTC
A commit references this bug:

Author: kib
Date: Thu May 16 13:00:35 UTC 2019
New revision: 347689
URL: https://svnweb.freebsd.org/changeset/base/347689

Log:
  arm64: bzero buffer for ucontext in freebsd32_swapcontext().

  This change is the same as r340994 for amd64.

  PR:	237922
  Submitted by:	Young <yangx92@hotmail.com>
  MFC after:	3 days

Changes:
  head/sys/arm64/arm64/freebsd32_machdep.c
Comment 4 Ed Maste freebsd_committer 2019-12-14 19:36:49 UTC
compat32 (r343004) was not merged to stable/12 so MFC not required
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2019-12-15 01:59:12 UTC
(In reply to Ed Maste from comment #4)

Is the "MFC after: 3 days" in base r347689 incorrect, or does that just refer to a direct to releng/* merge so SA/other purposes?
Comment 6 Ed Maste freebsd_committer 2019-12-15 18:07:17 UTC
(In reply to Kubilay Kocak from comment #5)
> Is the "MFC after: 3 days" in base r347689 incorrect

You could say that. The original change that introduced the problem was never merged back to stable/12 so this one can't be merged.