>Number: 163098
>Category: kern
>Synopsis: ktrace leak & fix
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 06 20:10:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Loganaden Velvindron
>Release: 8.2
>Organization:
devio.us
>Environment:
>Description:
djm@openbsd : The issue was that the syscall wrapper did not clear retval when
an error occurs in the syscall itself. retval was being passed back
to ktrace, and could leak some kernel stack (e.g. via ptrace PT_READ*).
>How-To-Repeat:
>Fix:
Index: src/sys/kern/kern_ktrace.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_ktrace.c,v
retrieving revision 1.130.2.2.4.1
diff -u -p -r1.130.2.2.4.1 kern_ktrace.c
--- src/sys/kern/kern_ktrace.c 21 Dec 2010 17:09:25 -0000 1.130.2.2.4.1
+++ src/sys/kern/kern_ktrace.c 3 Dec 2011 19:22:13 -0000
@@ -426,7 +426,7 @@ ktrsysret(code, error, retval)
ktp = &req->ktr_data.ktr_sysret;
ktp->ktr_code = code;
ktp->ktr_error = error;
- ktp->ktr_retval = retval; /* what about val2 ? */
+ ktp->ktr_retval = error == 0 ? retval: 0; /* what about val2 ? */
ktr_submitrequest(curthread, req);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
