freebsd-dev/sys
Kirk McKusick 0061238fb0 This update eliminates a kernel stack disclosure bug in UFS/FFS
directory entries that is caused by uninitialized directory entry
padding written to the disk. It can be viewed by any user with read
access to that directory. Up to 3 bytes of kernel stack are disclosed
per file entry, depending on the the amount of padding the kernel
needs to pad out the entry to a 32 bit boundry. The offset in the
kernel stack that is disclosed is a function of the filename size.
Furthermore, if the user can create files in a directory, this 3
byte window can be expanded 3 bytes at a time to a 254 byte window
with 75% of the data in that window exposed. The additional exposure
is done by removing the entry, creating a new entry with a 4-byte
longer name, extracting 3 more bytes by reading the directory, and
repeating until a 252 byte name is created.

This exploit works in part because the area of the kernel stack
that is being disclosed is in an area that typically doesn't change
that often (perhaps a few times a second on a lightly loaded system),
and these file creates and unlinks themselves don't overwrite the
area of kernel stack being disclosed.

It appears that this bug originated with the creation of the Fast
File System in 4.1b-BSD (Circa 1982, more than 36 years ago!), and
is likely present in every Unix or Unix-like system that uses
UFS/FFS. Amazingly, nobody noticed until now.

This update also adds the -z flag to fsck_ffs to have it scrub
the leaked information in the name padding of existing directories.
It only needs to be run once on each UFS/FFS filesystem after a
patched kernel is installed and running.

Submitted by: David G. Lawrence <dg@dglawrence.com>
Reviewed by:  kib
MFC after:    1 week
2019-05-03 21:54:14 +00:00
..
amd64 Emulate the "ADD reg, r/m" instruction (opcode 03H). 2019-05-03 21:48:42 +00:00
arm Add a COMPAT_FREEBSD12 kernel option. 2019-05-02 18:10:23 +00:00
arm64 In order to reduce duplication between MD parts of the Linuxulator 2019-05-03 08:42:49 +00:00
bsm Create new EINTEGRITY error with message "Integrity check failed". 2019-01-17 06:35:45 +00:00
cam Report DIF protection type the disk is formatted with. 2019-04-22 01:08:14 +00:00
cddl Add mutex_destroy() missed in r334844. 2019-04-26 19:02:21 +00:00
compat In order to reduce duplication between MD parts of the Linuxulator 2019-05-03 08:42:49 +00:00
conf Add a COMPAT_FREEBSD12 kernel option. 2019-05-02 18:10:23 +00:00
contrib Left justify a function header brace as it should be. 2019-04-28 04:05:43 +00:00
crypto Embedded chacha: Add 0-bit iv + 128-bit counter mode 2019-03-01 23:30:23 +00:00
ddb ddb: Print the thread's pcb in 'show thread' 2019-02-09 21:08:19 +00:00
dev o Rewrite softdma_process_tx() of Altera SoftDMA engine driver 2019-04-29 16:27:15 +00:00
dts arm64: Add support for NanoPI NEO2 2019-05-02 12:56:13 +00:00
fs Add #ifdef INET as requested by bz@. 2019-04-21 22:53:51 +00:00
gdb
geom Call delist_dev() before destroy_dev_sched_cb(). 2019-04-24 19:56:02 +00:00
gnu Import DTS files from Linux 5.0 2019-04-10 18:15:36 +00:00
i386 In order to reduce duplication between MD parts of the Linuxulator 2019-05-03 08:42:49 +00:00
isa
kern Disallow excessively small times of day in clock_settime(2). 2019-05-03 21:26:44 +00:00
kgssapi * Handle SIGPIPE in gssd 2019-02-21 01:30:37 +00:00
libkern Revert r346410 and r346411 2019-04-19 22:08:17 +00:00
mips Add a COMPAT_FREEBSD12 kernel option. 2019-05-02 18:10:23 +00:00
modules dtb: Include RK3399 RockPro64 DTS in kernel build 2019-05-02 17:04:01 +00:00
net Allow iflib drivers to pass a pointer to their own ifmedia structure. 2019-05-03 20:05:31 +00:00
net80211 net80211: correct check for SMPS node flags updates 2019-03-18 02:40:22 +00:00
netgraph Remove 'dir' argument in ng_ipfw_input, since ip_fw_args now has this info. 2019-03-14 22:30:05 +00:00
netinet ip multicast debug: fix strings vs defines 2019-04-29 18:09:55 +00:00
netinet6 Track TCP connection's NUMA domain in the inpcb 2019-04-25 15:37:28 +00:00
netipsec Replace read_random(9) with more appropriate arc4rand(9) KPIs 2019-04-04 01:02:50 +00:00
netpfil Add IPv6 support for O_IPLEN opcode. 2019-04-29 09:33:16 +00:00
netsmb Remove unused argument to priv_check_cred. 2018-12-11 19:32:16 +00:00
nfs
nfsclient
nfsserver
nlm
ofed Mechanical cleanup of epoch(9) usage in network stack. 2019-01-09 01:11:19 +00:00
opencrypto Don't panic for empty CCM requests. 2019-04-24 23:27:39 +00:00
powerpc Add a COMPAT_FREEBSD12 kernel option. 2019-05-02 18:10:23 +00:00
riscv Deactivate IRQ resource by calling to intr_deactivate_irq(). 2019-05-01 15:03:12 +00:00
rpc Fix malloc stats for the RPCSEC_GSS server code when DEBUG is enabled. 2019-04-04 01:23:06 +00:00
security When MAC is enabled and a policy module is loaded, don't unconditionally 2019-05-03 20:38:43 +00:00
sparc64 Add a COMPAT_FREEBSD12 kernel option. 2019-05-02 18:10:23 +00:00
sys Remove p_code from struct proc. 2019-04-25 18:42:07 +00:00
teken Attempt to complete fixing programmable function keys for syscons. 2019-02-20 02:14:41 +00:00
tests Regularize the Netflix copyright 2019-02-04 21:28:25 +00:00
tools make_dtb.sh: Use $CPP instead of assuming that cpp is in $PATH 2018-12-14 23:53:28 +00:00
ufs This update eliminates a kernel stack disclosure bug in UFS/FFS 2019-05-03 21:54:14 +00:00
vm fls() should find the most significant bit of an int faster than a 2019-05-03 02:55:54 +00:00
x86 Remove witness warning, same as r346351 for busdma_dmar. 2019-04-28 18:45:44 +00:00
xdr
xen xen: introduce a new way to setup event channel upcall 2019-01-30 11:34:52 +00:00
Makefile