Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/ufs/ufs Zero out the padding in 'd_namlen', to prevent i...



details:   https://anonhg.NetBSD.org/src/rev/4a56e3373151
branches:  trunk
changeset: 969661:4a56e3373151
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed Feb 26 18:00:12 2020 +0000

description:
Zero out the padding in 'd_namlen', to prevent info leaks. Same logic as
ufs_makedirentry().

Found by kMSan: the unzeroed bytes of the pool_cache were getting copied
to the disk via a DMA write operation, and there kMSan was noticing
uninitialized memory leaving the system.

Reported-by: syzbot+382c9dffc06a9683abb5%syzkaller.appspotmail.com@localhost

diffstat:

 sys/ufs/ufs/ufs_vnops.c |  10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diffs (31 lines):

diff -r a568944f7982 -r 4a56e3373151 sys/ufs/ufs/ufs_vnops.c
--- a/sys/ufs/ufs/ufs_vnops.c   Wed Feb 26 16:12:44 2020 +0000
+++ b/sys/ufs/ufs/ufs_vnops.c   Wed Feb 26 18:00:12 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ufs_vnops.c,v 1.248 2019/09/18 17:59:15 christos Exp $ */
+/*     $NetBSD: ufs_vnops.c,v 1.249 2020/02/26 18:00:12 maxv Exp $     */
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.248 2019/09/18 17:59:15 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.249 2020/02/26 18:00:12 maxv Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_ffs.h"
@@ -873,7 +873,11 @@
                newdir->d_namlen = cnp->cn_namelen;
                memcpy(newdir->d_name, cnp->cn_nameptr,
                    (size_t)cnp->cn_namelen);
-               newdir->d_name[cnp->cn_namelen] = '\0';
+
+               /* NUL terminate and zero out padding */
+               memset(&newdir->d_name[cnp->cn_namelen], 0,
+                   UFS_NAMEPAD(cnp->cn_namelen));
+
                newdir->d_type = DT_WHT;
                error = ufs_direnter(dvp, ulr, NULL, newdir, cnp, NULL);
                pool_cache_put(ufs_direct_cache, newdir);



Home | Main Index | Thread Index | Old Index