Fix buffer overflow in preloaded hostuuid cleaning
When a module of type "hostuuid" is provided by the loader,
prison0_init strips any trailing whitespace and ASCII control
characters by (a) adjusting the buffer length, and (b) zeroing out
the characters in question, before storing it as the system's
hostuuid.
The buffer length adjustment was correct, but the zeroing overwrote
one byte higher in memory than intended -- in the typical case,
zeroing one byte past the end of the hostuuid buffer. Due to the
layout of buffers passed by the boot loader to the kernel, this will
be the first byte of a subsequent buffer.
This was *probably* harmless; prison0_init runs after preloaded kernel
modules have been linked and after the preloaded /boot/entropy cache
has been processed, so in both cases having the first byte overwritten
will not cause problems. We cannot however rule out the possibility
that other objects which are preloaded by the loader could suffer from
having the first byte overwritten.
Since the zeroing does not in fact serve any purpose, remove it and
trim trailing whitespace and ASCII control characters by adjusting
the buffer length alone.
Fixes: c3188289 Preload hostuuid for early-boot use
Reviewed by: kevans, markj
MFC after: 3 days
This commit is contained in:
Colin Percival
parent
330f110bf1
commit
b6be9566d2
@ -257,7 +257,7 @@ prison0_init(void)
|
||||
* non-printable characters to be safe.
|
||||
*/
|
||||
while (size > 0 && data[size - 1] <= 0x20) {
|
||||
data[size--] = '\0';
|
||||
size--;
|
||||
}
|
||||
if (validate_uuid(data, size, NULL, 0) == 0) {
|
||||
(void)strlcpy(prison0.pr_hostuuid, data,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user