- memset struct stat to avoid kernel memory disclosure of padded fields

(thanks Trend Micro for the report) - use do_fhstat - consistency in argument order of compat functions
2021-08-15 07:57:46 +00:00 · 2021-08-15 07:57:46 +00:00 · 13248ebf78
parent 41918f4298
commit 13248ebf78
3 changed files with 45 additions and 83 deletions
--- a/sys/compat/common/vfs_syscalls_30.c
+++ b/sys/compat/common/vfs_syscalls_30.c
@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_30.c,v 1.41 2020/01/31 09:01:23 maxv Exp $	*/
+/*	$NetBSD: vfs_syscalls_30.c,v 1.42 2021/08/15 07:57:46 christos Exp $	*/

 /*-
 * Copyright (c) 2005, 2008 The NetBSD Foundation, Inc.
@ -29,7 +29,7 @@
 * POSSIBILITY OF SUCH DAMAGE.
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.41 2020/01/31 09:01:23 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.42 2021/08/15 07:57:46 christos Exp $");

 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@ -63,8 +63,6 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_30.c,v 1.41 2020/01/31 09:01:23 maxv Ex
 #include <compat/sys/mount.h>
 #include <compat/sys/statvfs.h>

-static void cvtstat(struct stat13 *, const struct stat *);
-
 static const struct syscall_package vfs_syscalls_30_syscalls[] = {
 	{ SYS_compat_30___fhstat30, 0, (sy_call_t *)compat_30_sys___fhstat30 },
 	{ SYS_compat_30___fstat13, 0, (sy_call_t *)compat_30_sys___fstat13 },
@ -85,6 +83,8 @@ static void
 cvtstat(struct stat13 *ost, const struct stat *st)
 {

+	/* Handle any padding. */
+	memset(ost, 0, sizeof(*ost));
 	ost->st_dev = st->st_dev;
 	ost->st_ino = (uint32_t)st->st_ino;
 	ost->st_mode = st->st_mode;
@ -123,8 +123,7 @@ compat_30_sys___stat13(struct lwp *l,
 	if (error)
 		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap, ub), sizeof (osb));
-	return error;
+	return copyout(&osb, SCARG(uap, ub), sizeof(osb));
 }


@ -148,8 +147,7 @@ compat_30_sys___lstat13(struct lwp *l,
 	if (error)
 		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap, ub), sizeof (osb));
-	return error;
+	return copyout(&osb, SCARG(uap, ub), sizeof(osb));
 }

 /* ARGSUSED */
@ -164,34 +162,12 @@ compat_30_sys_fhstat(struct lwp *l,
 	struct stat sb;
 	struct stat13 osb;
 	int error;
-	struct compat_30_fhandle fh;
-	struct mount *mp;
-	struct vnode *vp;

-	/*
-	 * Must be super user
-	 */
-	if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_FILEHANDLE,
-	    0, NULL, NULL, NULL)))
-		return (error);
-
-	if ((error = copyin(SCARG(uap, fhp), &fh, sizeof(fh))) != 0)
-		return (error);
-
-	if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL)
-		return (ESTALE);
-	if (mp->mnt_op->vfs_fhtovp == NULL)
-		return EOPNOTSUPP;
-	error = VFS_FHTOVP(mp, (struct fid*)&fh.fh_fid, LK_EXCLUSIVE, &vp);
-	if (error != 0)
-		return (error);
-	error = vn_stat(vp, &sb);
-	vput(vp);
+	error = do_fhstat(l, SCARG(uap, fhp), sizeof(*SCARG(uap, fhp)), &sb);
 	if (error)
-		return (error);
+		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap, sb), sizeof(osb));
-	return (error);
+	return copyout(&osb, SCARG(uap, sb), sizeof(osb));
 }

 /*
@ -214,8 +190,7 @@ compat_30_sys___fstat13(struct lwp *l,
 	if (error)
 		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap, sb), sizeof (osb));
-	return error;
+	return copyout(&osb, SCARG(uap, sb), sizeof(osb));
 }

 /*
@ -292,7 +267,7 @@ again:
 		bdp = (struct dirent *)inp;
 		reclen = bdp->d_reclen;
 		if (reclen & _DIRENT_ALIGN(bdp))
-			panic("netbsd30_getdents: bad reclen %d", reclen);
+			panic("%s: bad reclen %d", __func__, reclen);
 		if (cookie)
 			off = *cookie++; /* each entry points to the next */
 		else
@ -396,9 +371,8 @@ compat_30_sys_getfh(struct lwp *l, const struct compat_30_sys_getfh_args *uap,
 		error = EINVAL;
 	}
 	if (error)
-		return (error);
-	error = copyout(&fh, SCARG(uap, fhp), sizeof(struct compat_30_fhandle));
-	return (error);
+		return error;
+	return copyout(&fh, SCARG(uap, fhp), sizeof(fh));
 }

 /*
@ -437,8 +411,7 @@ compat_30_sys___fhstat30(struct lwp *l,
 	if (error)
 		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap_30, sb), sizeof (osb));
-	return error;
+	return copyout(&osb, SCARG(uap_30, sb), sizeof(osb));
 }

 /* ARGSUSED */
--- a/sys/compat/common/vfs_syscalls_43.c
+++ b/sys/compat/common/vfs_syscalls_43.c
@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_43.c,v 1.66 2020/06/24 10:28:16 jdolecek Exp $	*/
+/*	$NetBSD: vfs_syscalls_43.c,v 1.67 2021/08/15 07:57:46 christos Exp $	*/

 /*
 * Copyright (c) 1989, 1993
@ -37,7 +37,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.66 2020/06/24 10:28:16 jdolecek Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.67 2021/08/15 07:57:46 christos Exp $");

 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@ -75,9 +75,6 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_43.c,v 1.66 2020/06/24 10:28:16 jdolece
 #include <compat/common/compat_util.h>
 #include <compat/common/compat_mod.h>

-static void cvttimespec(struct timespec *, struct timespec50 *);
-static void cvtstat(struct stat *, struct stat43 *);
-
 static struct syscall_package vfs_syscalls_43_syscalls[] = {
 	{ SYS_compat_43_oquota,     0, (sy_call_t *)compat_43_sys_quota },
 	{ SYS_compat_43_stat43,     0, (sy_call_t *)compat_43_sys_stat },
@ -96,7 +93,7 @@ static struct syscall_package vfs_syscalls_43_syscalls[] = {
 * Convert from an old to a new timespec structure.
 */
 static void
-cvttimespec(struct timespec *ts, struct timespec50 *ots)
+cvttimespec(struct timespec50 *ots, const struct timespec *ts)
 {

 	if (ts->tv_sec > INT_MAX) {
@ -120,11 +117,11 @@ cvttimespec(struct timespec *ts, struct timespec50 *ots)
 * Convert from an old to a new stat structure.
 */
 static void
-cvtstat(struct stat *st, struct stat43 *ost)
+cvtstat(struct stat43 *ost, const struct stat *st)
 {

 	/* Handle any padding. */
-	memset(ost, 0, sizeof *ost);
+	memset(ost, 0, sizeof(*ost));
 	ost->st_dev = st->st_dev;
 	ost->st_ino = st->st_ino;
 	ost->st_mode = st->st_mode & 0xffff;
@ -136,9 +133,9 @@ cvtstat(struct stat *st, struct stat43 *ost)
 		ost->st_size = st->st_size;
 	else
 		ost->st_size = -2;
-	cvttimespec(&st->st_atimespec, &ost->st_atimespec);
-	cvttimespec(&st->st_mtimespec, &ost->st_mtimespec);
-	cvttimespec(&st->st_ctimespec, &ost->st_ctimespec);
+	cvttimespec(&ost->st_atimespec, &st->st_atimespec);
+	cvttimespec(&ost->st_mtimespec, &st->st_mtimespec);
+	cvttimespec(&ost->st_ctimespec, &st->st_ctimespec);
 	ost->st_blksize = st->st_blksize;
 	ost->st_blocks = st->st_blocks;
 	ost->st_flags = st->st_flags;
@ -162,10 +159,9 @@ compat_43_sys_stat(struct lwp *l, const struct compat_43_sys_stat_args *uap, reg

 	error = do_sys_stat(SCARG(uap, path), FOLLOW, &sb);
 	if (error)
-		return (error);
-	cvtstat(&sb, &osb);
-	error = copyout((void *)&osb, (void *)SCARG(uap, ub), sizeof (osb));
-	return (error);
+		return error;
+	cvtstat(&osb, &sb);
+	return copyout(&osb, SCARG(uap, ub), sizeof(osb));
 }

 /*
@ -177,7 +173,7 @@ compat_43_sys_lstat(struct lwp *l, const struct compat_43_sys_lstat_args *uap, r
 {
 	/* {
 		syscallarg(char *) path;
-		syscallarg(struct ostat *) ub;
+		syscallarg(struct stat43 *) ub;
 	} */
 	struct stat sb;
 	struct stat43 osb;
@ -192,9 +188,8 @@ compat_43_sys_lstat(struct lwp *l, const struct compat_43_sys_lstat_args *uap, r
 	 * containing directory, except for mode, size, and links.
 	 * This is no longer emulated, the parent directory is not consulted.
 	 */
-	cvtstat(&sb, &osb);
-	error = copyout((void *)&osb, (void *)SCARG(uap, ub), sizeof (osb));
-	return (error);
+	cvtstat(&osb, &sb);
+	return copyout(&osb, SCARG(uap, ub), sizeof(osb));
 }

 /*
@ -208,18 +203,16 @@ compat_43_sys_fstat(struct lwp *l, const struct compat_43_sys_fstat_args *uap, r
 		syscallarg(int) fd;
 		syscallarg(struct stat43 *) sb;
 	} */
-	struct stat ub;
-	struct stat43 oub;
+	struct stat sb;
+	struct stat43 osb;
 	int error;

-	error = do_sys_fstat(SCARG(uap, fd), &ub);
-	if (error == 0) {
-		cvtstat(&ub, &oub);
-		error = copyout((void *)&oub, (void *)SCARG(uap, sb),
-		    sizeof (oub));
-	}
+	error = do_sys_fstat(SCARG(uap, fd), &sb);
+	if (error)
+		return error;

-	return (error);
+	cvtstat(&osb, &sb);
+	return copyout(&osb, SCARG(uap, sb), sizeof(osb));
 }


@ -242,7 +235,7 @@ compat_43_sys_ftruncate(struct lwp *l, const struct compat_43_sys_ftruncate_args

 	SCARG(&nuap, fd) = SCARG(uap, fd);
 	SCARG(&nuap, length) = SCARG(uap, length);
-	return (sys_ftruncate(l, &nuap, retval));
+	return sys_ftruncate(l, &nuap, retval);
 }

 /*
@ -481,7 +474,7 @@ out1:
 	fd_putfile(SCARG(uap, fd));
 	if (error)
 		return error;
-	return copyout(&loff, SCARG(uap, basep), sizeof(long));
+	return copyout(&loff, SCARG(uap, basep), sizeof(loff));
 }

 int
--- a/sys/compat/common/vfs_syscalls_50.c
+++ b/sys/compat/common/vfs_syscalls_50.c
@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls_50.c,v 1.25 2020/01/21 02:37:16 pgoyette Exp $	*/
+/*	$NetBSD: vfs_syscalls_50.c,v 1.26 2021/08/15 07:57:46 christos Exp $	*/

 /*-
 * Copyright (c) 2008 The NetBSD Foundation, Inc.
@ -29,7 +29,7 @@
 * POSSIBILITY OF SUCH DAMAGE.
 */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_50.c,v 1.25 2020/01/21 02:37:16 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_50.c,v 1.26 2021/08/15 07:57:46 christos Exp $");

 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@ -69,8 +69,6 @@ __KERNEL_RCSID(0, "$NetBSD: vfs_syscalls_50.c,v 1.25 2020/01/21 02:37:16 pgoyett
 #include <compat/sys/dirent.h>
 #include <compat/sys/mount.h>

-static void cvtstat(struct stat30 *, const struct stat *);
-
 static const struct syscall_package vfs_syscalls_50_syscalls[] = {
 	{ SYS_compat_50___stat30, 0, (sy_call_t *)compat_50_sys___stat30 },
 	{ SYS_compat_50___fstat30, 0, (sy_call_t *)compat_50_sys___fstat30 },
@ -92,6 +90,8 @@ static void
 cvtstat(struct stat30 *ost, const struct stat *st)
 {

+	/* Handle any padding. */
+	memset(ost, 0, sizeof(*ost));
 	ost->st_dev = st->st_dev;
 	ost->st_ino = st->st_ino;
 	ost->st_mode = st->st_mode;
@ -130,8 +130,7 @@ compat_50_sys___stat30(struct lwp *l, const struct compat_50_sys___stat30_args *
 	if (error)
 		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap, ub), sizeof (osb));
-	return error;
+	return copyout(&osb, SCARG(uap, ub), sizeof(osb));
 }


@ -154,8 +153,7 @@ compat_50_sys___lstat30(struct lwp *l, const struct compat_50_sys___lstat30_args
 	if (error)
 		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap, ub), sizeof (osb));
-	return error;
+	return copyout(&osb, SCARG(uap, ub), sizeof(osb));
 }

 /*
@ -177,8 +175,7 @@ compat_50_sys___fstat30(struct lwp *l, const struct compat_50_sys___fstat30_args
 	if (error)
 		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap, sb), sizeof (osb));
-	return error;
+	return copyout(&osb, SCARG(uap, sb), sizeof(osb));
 }

 /* ARGSUSED */
@ -198,8 +195,7 @@ compat_50_sys___fhstat40(struct lwp *l, const struct compat_50_sys___fhstat40_ar
 	if (error)
 		return error;
 	cvtstat(&osb, &sb);
-	error = copyout(&osb, SCARG(uap, sb), sizeof (osb));
-	return error;
+	return copyout(&osb, SCARG(uap, sb), sizeof(osb));
 }

 static int