kern/40717: kernel data leak in wait4()

[dholland%netbsd.org@localhost]

>Number:         40717
>Category:       kern
>Synopsis:       kernel data leak in wait4()
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 22 21:45:04 +0000 2009
>Originator:     David A. Holland
>Release:        NetBSD 5.99.7 (20080221)
>Organization:
>Environment:
(irrelevant)

>Description:

The rusage parameter of wait4() returns a copy of an uninitialized
chunk of kernel stack for stopped processes.

>How-To-Repeat:

code reading

>Fix:

Can't currently test this (or much of anything) because of the
premature removal of softdep.

Index: kern_exit.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_exit.c,v
retrieving revision 1.218
diff -u -p -r1.218 kern_exit.c
--- kern_exit.c 22 Jan 2009 14:38:35 -0000      1.218
+++ kern_exit.c 22 Feb 2009 21:38:42 -0000
@@ -688,9 +688,10 @@ do_sys_wait(struct lwp *l, int *pid, int
        if (child->p_stat == SZOMB) {
                /* proc_free() will release the proc_lock. */
                *was_zombie = 1;
-               if (options & WNOWAIT)
+               if (options & WNOWAIT) {
                        mutex_exit(proc_lock);
-               else {
+                       memset(ru, 0, sizeof(*ru));
+               } else {
                        proc_free(child, ru);
                }
        } else {
@@ -698,6 +699,7 @@ do_sys_wait(struct lwp *l, int *pid, int
                *was_zombie = 0;
                mutex_exit(proc_lock);
                *status = W_STOPCODE(*status);
+               memset(ru, 0, sizeof(*ru));
        }
 
        return 0;