ktrace: Fix uninitialized memory disclosure

The sockaddr passed to ktrcapfail() may be smaller than sizeof(struct sockaddr), and the trailing bytes in the sockaddr structure will be uninitialized, whereupon they get copied out to userspace. Approved by: so Security: FreeBSD-SA-25:04.ktrace PR: 283673 Reviewed by: jfree, emaste Reported by: Yichen Chai <yichen.chai@gmail.com> Reported by: Zhuo Ying Jiang Li <zyj20@cl.cam.ac.uk> Fixes: 9bec84131215 ("ktrace: Record detailed ECAPMODE violations") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D48499 (cherry picked from commit 5b86888bae651e54ccc0adde0ed897ec1c1e0d45) (cherry picked from commit 99d5ee8738)
2026-05-28 04:12:45 -04:00 · 2025-01-20 13:50:04 +00:00 · 2025-01-20 13:50:04 +00:00 · 3717a36932
commit 3717a36932
parent ebed92a975
1 changed files with 9 additions and 2 deletions
--- a/sys/kern/kern_ktrace.c
+++ b/sys/kern/kern_ktrace.c
@ -958,9 +958,16 @@ ktrcapfail(enum ktr_cap_violation type, const void *data)
 		case CAPFAIL_PROTO:
 			kcd->cap_int = *(const int *)data;
 			break;
-		case CAPFAIL_SOCKADDR:
-			kcd->cap_sockaddr = *(const struct sockaddr *)data;
+		case CAPFAIL_SOCKADDR: {
+			size_t len;
+
+			len = MIN(((const struct sockaddr *)data)->sa_len,
+			    sizeof(kcd->cap_sockaddr));
+			memset(&kcd->cap_sockaddr, 0,
+			    sizeof(kcd->cap_sockaddr));
+			memcpy(&kcd->cap_sockaddr, data, len);
 			break;
+		}
 		case CAPFAIL_NAMEI:
 			strlcpy(kcd->cap_path, data, MAXPATHLEN);
 			break;