NetBSD Problem Report #45142
From www@NetBSD.org Thu Jul 14 00:53:06 2011
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id A0EDF63CA4D
for <gnats-bugs@gnats.NetBSD.org>; Thu, 14 Jul 2011 00:53:06 +0000 (UTC)
Message-Id: <20110714005305.D3ACB63CA45@www.NetBSD.org>
Date: Thu, 14 Jul 2011 00:53:05 +0000 (UTC)
From: guy@alum.mit.edu
Reply-To: guy@alum.mit.edu
To: gnats-bugs@NetBSD.org
Subject: bpf_filter() can leak kernel stack contents
X-Send-Pr-Version: www-1.0
>Number: 45142
>Category: kern
>Synopsis: bpf_filter() can leak kernel stack contents
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jul 14 00:55:00 +0000 2011
>Closed-Date: Fri Sep 30 08:57:59 +0000 2016
>Last-Modified: Fri Sep 30 08:57:59 +0000 2016
>Originator: Guy Harris
>Release: Any
>Organization:
>Environment:
N/A (bug discovered by looking at the OpenBSD CVS repository)
>Description:
http://seclists.org/fulldisclosure/2010/Nov/89
That's Linux's BPF interpreter, but the same problem exists with the *BSD BPF interpreter:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf_filter.c.diff?r1=1.21;r2=1.22
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bpf_filter.c?rev=1.22;content-type=text%2Fx-cvsweb-markup
>How-To-Repeat:
A bit more work on *BSD, as, unlike Linux, *BSD doesn't let you slap a BPF filter on arbitrary sockets, but there's probably something you can cook up, based on Dan's program.
>Fix:
Do a bzero() or memset(..., 0, ...) to clear out mem before you start running the BPF program (but after you do the "if no filter, just return 0xffffffff" check).
>Release-Note:
>Audit-Trail:
From: "Matthias Drochner" <drochner@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45142 CVS commit: src/sys/net
Date: Thu, 14 Jul 2011 10:43:55 +0000
Module Name: src
Committed By: drochner
Date: Thu Jul 14 10:43:55 UTC 2011
Modified Files:
src/sys/net: bpf_filter.c
Log Message:
clear the packet filter's scratch memory before running the filter
program, otherwise kernel memory can be leaked, from Guy Harris
per PR kern/45142
To generate a diff of this commit:
cvs rdiff -u -r1.46 -r1.47 src/sys/net/bpf_filter.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, guy@alum.mit.edu
Cc:
Subject: Re: PR/45142 CVS commit: src/sys/net
Date: Thu, 14 Jul 2011 07:12:32 -0400
On Jul 14, 10:45am, drochner@netbsd.org ("Matthias Drochner") wrote:
-- Subject: PR/45142 CVS commit: src/sys/net
| Modified Files:
| src/sys/net: bpf_filter.c
|
| Log Message:
| clear the packet filter's scratch memory before running the filter
| program, otherwise kernel memory can be leaked, from Guy Harris
| per PR kern/45142
This is very inefficient, and the problem was fixed last year in a much
better way. What are you trying to avoid now?
christos
State-Changed-From-To: open->feedback
State-Changed-By: drochner@NetBSD.org
State-Changed-When: Thu, 14 Jul 2011 12:51:19 +0000
State-Changed-Why:
contrary to OpenBSD (and libpcap), NetBSD checks accesses to scratch mem
in bpf_validate(), zeroing it should thus be unnecessary
ok to close?
State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 30 Sep 2016 08:57:59 +0000
State-Changed-Why:
fixed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.