freebsd kernel with SKQ
Go to file
Stefan Eßer 6c2596f00c Change getlocalbase() to not allocate any heap memory
After the commit of the current version, Scott Long pointed out, that an
attacker might be able to cause a use-after-free access if this function
returned the value of the sysctl variable "user.localbase" by freeing
the allocated memory without the cached address being cleared in the
library function.

To resolve this issue, I have proposed the originally suggested version
with a statically allocated buffer in a review (D27370). There was no
feedback on this review and after waiting for more than 2 weeks, the
potential security issue is fixed by this commit. (There was no security
risk in practice, since none of the programs converted to use this
function attempted to free the buffer. The address could only have
pointed into the heap if user.localbase was set to a non-default value,
into r/o data or the environment, else.)

This version uses a static buffer of size LOCALBASE_CTL_LEN, which
defaults to MAXPATHLEN. This does not increase the memory footprint
of the library at this time, since its data segment grows from less
than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical
architectures, anyway.

Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code
that accesses the sysctl variable, values between 1 and MAXPATHLEN-1
will limit the maximum size of the prefix. When built with such a
value and if too large a value has been configured in user.localbase,
the value defined as ILLEGAL_PREFIX will be returned to cause any
file operations on that result to fail. (Default value is "/dev/null/",
the review contained "/\177", but I assume that "/dev/null" exists and
can not be accessed as a directory. Any other string that can be assumed
not be a valid path prefix could be used.)

I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for
the user.localbase variable, too. Doing this would guarantee that the
result always fit into the buffer in this library function (unless run
on a kernel built with a different buffer size.)

The function always returns a valid string, and only in case it is built
with a small static buffer and run on a system with too large a value in
user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing
the created path to be non-existent.

Differential Revision:	https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
.github/workflows GH Actions: Use pre-installed clang packages 2020-11-26 14:42:16 +00:00
bin Remove unused headers. 2020-12-12 02:26:43 +00:00
cddl dtrace: honor LC_NUMERIC for %'d and alike, and LC_TIME for %T 2020-12-03 11:59:40 +00:00
contrib ee(1): Whitespace cleanup 2020-12-10 10:58:30 +00:00
crypto Merge OpenSSL 1.1.1i. 2020-12-09 02:05:14 +00:00
etc Missed adding netgraph to mtree in r368443: 2020-12-08 17:44:34 +00:00
gnu gnu: don't build libgnuregex for WITH_GNU_GREP_COMPAT 2020-12-04 15:21:12 +00:00
include Import OpenSSL 1.1.1i. 2020-12-08 18:10:16 +00:00
kerberos5 Fix more -Wundef warnings during bootstrap 2020-10-14 12:28:54 +00:00
lib Change getlocalbase() to not allocate any heap memory 2020-12-12 11:23:52 +00:00
libexec Fix the TFTP client when performing a RRQ for files smaller than 512 bytes 2020-12-10 19:36:33 +00:00
release Fix staging riscv images. 2020-12-09 20:38:26 +00:00
rescue ping: add a ping6 hard link for backwards compatibility 2020-11-26 18:33:04 +00:00
sbin geom(8): list geoms with /dev/ prefix 2020-12-12 07:22:38 +00:00
secure caroot: update bundle 2020-12-11 18:14:43 +00:00
share ndis(4): expand deprecation to the whole driver 2020-12-11 21:51:50 +00:00
stand lualoader: provide module-manipulation commands 2020-12-12 05:57:42 +00:00
sys Fix NOINET6 build broken by r368571. 2020-12-12 01:05:31 +00:00
targets Add WITH_CLANG_FORMAT option 2020-06-24 17:03:42 +00:00
tests posixshm_test.c: remove tautological checks 2020-12-11 22:52:20 +00:00
tools riscv: allow building virtual machine images 2020-12-08 00:37:11 +00:00
usr.bin lock(1): Add EXAMPLES section 2020-12-11 19:27:21 +00:00
usr.sbin fix up documentation/comments: processname is not defined, but programname 2020-12-10 23:23:42 +00:00
.arcconfig arcconfig: add callsign again 2020-11-23 04:39:29 +00:00
.arclint arc lint: ignore /tests/ in chmod 2017-12-19 03:38:06 +00:00
.cirrus.yml CI: switch to qemu42 package 2020-10-29 02:02:30 +00:00
.clang-format clang-format: Avoid breaking after the opening paren of function definitions 2020-10-28 11:54:00 +00:00
.gitattributes Add a basic clang-format configuration file 2019-06-07 15:23:52 +00:00
.gitignore Stop ignoring makeLINT generated files 2020-10-09 00:27:45 +00:00
COPYRIGHT Happy New Year 2020! 2019-12-31 16:01:36 +00:00
LOCKS LOCKS: update current locks 2018-06-09 03:08:04 +00:00
MAINTAINERS Add a pointer to csprng@ for the CSPRNG driver. This is enforced anyway by 2020-09-01 08:02:12 +00:00
Makefile Makefile: re-wordsmith the blurb about xtoolchain ports 2020-11-14 18:06:35 +00:00
Makefile.inc1 crunchgen: fix NULL-deref bug introduced in r364647 2020-12-04 15:53:37 +00:00
Makefile.libcompat Race in 32-bit fixed 2020-10-08 17:30:05 +00:00
Makefile.sys.inc AUTO_OBJ: For all top-level targets enforce using an OBJDIR. 2017-12-05 21:29:47 +00:00
ObsoleteFiles.inc hme(4): Remove as previous announced 2020-12-11 21:40:38 +00:00
README Import OpenSSL 1.1.1i. 2020-12-08 18:10:16 +00:00
README.md README: add generic notes about GENERIC and NOTES 2018-06-17 19:44:24 +00:00
RELNOTES Note removal of hme(4) 2020-12-11 21:43:44 +00:00
UPDATING Merge ping6 to ping 2020-11-26 04:29:30 +00:00

FreeBSD Source:

This is the top level of the FreeBSD source directory. This file was last revised on: FreeBSD

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security, and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.

For copyright information, please see the file COPYRIGHT in this directory. Additional copyright information also exists for some sources in this tree - please see the specific source directories for more information.

The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree. See build(7), config(8), https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, and https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html for more information, including setting make(1) variables.

Source Roadmap:

bin		System/user commands.

cddl		Various commands and libraries under the Common Development
		and Distribution License.

contrib		Packages contributed by 3rd parties.

crypto		Cryptography stuff (see crypto/README).

etc		Template files for /etc.

gnu		Various commands and libraries under the GNU Public License.
		Please see gnu/COPYING* for more information.

include		System include files.

kerberos5	Kerberos5 (Heimdal) package.

lib		System libraries.

libexec		System daemons.

release		Release building Makefile & associated tools.

rescue		Build system for statically linked /rescue utilities.

sbin		System commands.

secure		Cryptographic libraries and commands.

share		Shared resources.

stand		Boot loader sources.

sys		Kernel sources.

sys/<arch>/conf Kernel configuration files. GENERIC is the configuration
		used in release builds. NOTES contains documentation of
		all possible entries.

tests		Regression tests which can be run by Kyua.  See tests/README
		for additional information.

tools		Utilities for regression testing and miscellaneous tasks.

usr.bin		User commands.

usr.sbin	System administration commands.

For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html