CVS commit: src/sys/ufs/ufs

Sat, 04 May 2019 18:49:17 -0700 

Module Name:    src
Committed By:   christos
Date:           Sun May  5 01:48:53 UTC 2019

Modified Files:
        src/sys/ufs/ufs: dir.h ufs_lookup.c

Log Message:
Zero out all the dirent padding not just one byte, to avoid kernel memory
disclosure (from https://svnweb.freebsd.org/base?view=revision&revision=347066)


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 src/sys/ufs/ufs/dir.h
cvs rdiff -u -r1.148 -r1.149 src/sys/ufs/ufs/ufs_lookup.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/ufs/ufs/dir.h
diff -u src/sys/ufs/ufs/dir.h:1.25 src/sys/ufs/ufs/dir.h:1.26
--- src/sys/ufs/ufs/dir.h:1.25	Tue Sep  1 02:16:03 2015
+++ src/sys/ufs/ufs/dir.h	Sat May  4 21:48:53 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: dir.h,v 1.25 2015/09/01 06:16:03 dholland Exp $	*/
+/*	$NetBSD: dir.h,v 1.26 2019/05/05 01:48:53 christos Exp $	*/
 
 /*
  * Copyright (c) 1982, 1986, 1989, 1993
@@ -111,8 +111,11 @@ struct	direct {
  * without the d_name field, plus enough space for the name with a terminating
  * null byte (dp->d_namlen+1), rounded up to a 4 byte boundary.
  */
+#define DIR_ROUNDUP	4
+#define UFS_NAMEROUNDUP(namlen)	(((namlen) + DIR_ROUNDUP) & ~(DIR_ROUNDUP - 1))
+#define UFS_NAMEPAD(namlen)	(DIR_ROUNDUP - ((namlen) & (DIR_ROUNDUP - 1)))
 #define	UFS_DIRECTSIZ(namlen) \
-	((sizeof(struct direct) - (FFS_MAXNAMLEN+1)) + (((namlen)+1 + 3) &~ 3))
+	((sizeof(struct direct) - (FFS_MAXNAMLEN+1)) + UFS_NAMEROUNDUP(namlen))
 
 #if (BYTE_ORDER == LITTLE_ENDIAN)
 #define UFS_DIRSIZ(oldfmt, dp, needswap)	\

Index: src/sys/ufs/ufs/ufs_lookup.c
diff -u src/sys/ufs/ufs/ufs_lookup.c:1.148 src/sys/ufs/ufs/ufs_lookup.c:1.149
--- src/sys/ufs/ufs/ufs_lookup.c:1.148	Fri Oct 27 08:25:15 2017
+++ src/sys/ufs/ufs/ufs_lookup.c	Sat May  4 21:48:53 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: ufs_lookup.c,v 1.148 2017/10/27 12:25:15 joerg Exp $	*/
+/*	$NetBSD: ufs_lookup.c,v 1.149 2019/05/05 01:48:53 christos Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ufs_lookup.c,v 1.148 2017/10/27 12:25:15 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ufs_lookup.c,v 1.149 2019/05/05 01:48:53 christos Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ffs.h"
@@ -793,10 +793,15 @@ void
 ufs_makedirentry(struct inode *ip, struct componentname *cnp,
     struct direct *newdirp)
 {
+	size_t namelen = cnp->cn_namelen;
+
 	newdirp->d_ino = ip->i_number;
-	newdirp->d_namlen = cnp->cn_namelen;
-	memcpy(newdirp->d_name, cnp->cn_nameptr, (size_t)cnp->cn_namelen);
-	newdirp->d_name[cnp->cn_namelen] = '\0';
+	newdirp->d_namlen = namelen;
+	memcpy(newdirp->d_name, cnp->cn_nameptr, namelen);
+
+	/* Zero out padding */
+	memset(&newdirp->d_name[namelen], 0, UFS_NAMEPAD(namelen));
+
 	if (FSFMT(ITOV(ip)))
 		newdirp->d_type = 0;
 	else

Reply via email to