https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246983
Bug ID: 246983
Summary: sbput(3) writes out the values of pointers verbatim
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
`struct fs` contains some pointer fields. The binary representation of a
`struct fs` is written out verbatim to the disk: see ffs_sbput() in
sys/ufs/ffs/ffs_subr.c. This inadvertently causes garbage to be stored, in
particular by newfs(1). (It is garbage because those pointers pointed to the
then-current stack or heap.) Although a mere pointer doesn't reveal anything
useful (like a part of a private key) to an attacker, garbage output
deteriorates reproducibility.
In an attempt to work around this design, users of sbput(3) ought to zero out
those pointer fields, but this isn't totally possible, because the function
makes use of the `fs_csp` field. So the solution should be to save the pointers
before writing the whole struct out, and to restore them afterwards.
It would have been ideal if `struct fs` didn't contain any pointers at all.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
