Author: cperciva
Date: Wed Oct 22 23:35:32 2014
New Revision: 273487
URL: https://svnweb.freebsd.org/changeset/base/273487
Log:
Avoid leaking data from the kernel environment: When we convert the
initial static environment to a dynamic one, zero the static environment
buffer, and zero individual values when kern_unsetenv and freeenv are
called.
Tested by: kmoore (VM memory dump + grep)
Tested by: cperciva (kernel panic dump + grep)
Modified:
head/sys/kern/kern_environment.c
Modified: head/sys/kern/kern_environment.c
==============================================================================
--- head/sys/kern/kern_environment.c Wed Oct 22 22:27:51 2014
(r273486)
+++ head/sys/kern/kern_environment.c Wed Oct 22 23:35:32 2014
(r273487)
@@ -224,7 +224,7 @@ init_static_kenv(char *buf, size_t len)
static void
init_dynamic_kenv(void *data __unused)
{
- char *cp;
+ char *cp, *cpnext;
size_t len;
int i;
@@ -232,7 +232,8 @@ init_dynamic_kenv(void *data __unused)
M_WAITOK | M_ZERO);
i = 0;
if (kern_envp && *kern_envp != '\0') {
- for (cp = kern_envp; cp != NULL; cp = kernenv_next(cp)) {
+ for (cp = kern_envp; cp != NULL; cp = cpnext) {
+ cpnext = kernenv_next(cp);
len = strlen(cp) + 1;
if (len > KENV_MNAMELEN + 1 + KENV_MVALLEN + 1) {
printf(
@@ -243,6 +244,7 @@ init_dynamic_kenv(void *data __unused)
if (i < KENV_SIZE) {
kenvp[i] = malloc(len, M_KENV, M_WAITOK);
strcpy(kenvp[i++], cp);
+ memset(cp, 0, strlen(cp));
} else
printf(
"WARNING: too many kenv strings, ignoring %s\n",
@@ -260,8 +262,10 @@ void
freeenv(char *env)
{
- if (dynamic_kenv)
+ if (dynamic_kenv) {
+ memset(env, 0, strlen(env));
free(env, M_KENV);
+ }
}
/*
@@ -437,6 +441,7 @@ kern_unsetenv(const char *name)
kenvp[i++] = kenvp[j];
kenvp[i] = NULL;
mtx_unlock(&kenv_lock);
+ memset(oldenv, 0, strlen(oldenv));
free(oldenv, M_KENV);
return (0);
}
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
