From 3717a36932193c105b2dd7ac3b3dc0c20bb680e5 Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Mon, 20 Jan 2025 13:50:04 +0000 Subject: [PATCH] ktrace: Fix uninitialized memory disclosure The sockaddr passed to ktrcapfail() may be smaller than sizeof(struct sockaddr), and the trailing bytes in the sockaddr structure will be uninitialized, whereupon they get copied out to userspace. Approved by: so Security: FreeBSD-SA-25:04.ktrace PR: 283673 Reviewed by: jfree, emaste Reported by: Yichen Chai Reported by: Zhuo Ying Jiang Li Fixes: 9bec84131215 ("ktrace: Record detailed ECAPMODE violations") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D48499 (cherry picked from commit 5b86888bae651e54ccc0adde0ed897ec1c1e0d45) (cherry picked from commit 99d5ee8738a354e0d8f12453a82ed87e47bd62f1) --- sys/kern/kern_ktrace.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 1c6a2ae01f3..2b311f2d36d 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -958,9 +958,16 @@ ktrcapfail(enum ktr_cap_violation type, const void *data) case CAPFAIL_PROTO: kcd->cap_int = *(const int *)data; break; - case CAPFAIL_SOCKADDR: - kcd->cap_sockaddr = *(const struct sockaddr *)data; + case CAPFAIL_SOCKADDR: { + size_t len; + + len = MIN(((const struct sockaddr *)data)->sa_len, + sizeof(kcd->cap_sockaddr)); + memset(&kcd->cap_sockaddr, 0, + sizeof(kcd->cap_sockaddr)); + memcpy(&kcd->cap_sockaddr, data, len); break; + } case CAPFAIL_NAMEI: strlcpy(kcd->cap_path, data, MAXPATHLEN); break;