Wed Feb 26 18:00:12 2020 UTC ()
Zero out the padding in 'd_namlen', to prevent info leaks. Same logic as
ufs_makedirentry().

Found by kMSan: the unzeroed bytes of the pool_cache were getting copied
to the disk via a DMA write operation, and there kMSan was noticing
uninitialized memory leaving the system.

Reported-by: syzbot+382c9dffc06a9683abb5@syzkaller.appspotmail.com


(maxv)
diff -r1.248 -r1.249 src/sys/ufs/ufs/ufs_vnops.c
cvs diff -r1.248 -r1.249 src/sys/ufs/ufs/ufs_vnops.c (expand / switch to unified diff)

--- src/sys/ufs/ufs/ufs_vnops.c 2019/09/18 17:59:15 1.248
+++ src/sys/ufs/ufs/ufs_vnops.c 2020/02/26 18:00:12 1.249
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: ufs_vnops.c,v 1.248 2019/09/18 17:59:15 christos Exp $ */ 1/* $NetBSD: ufs_vnops.c,v 1.249 2020/02/26 18:00:12 maxv Exp $ */
2 2
3/*- 3/*-
4 * Copyright (c) 2008 The NetBSD Foundation, Inc. 4 * Copyright (c) 2008 The NetBSD Foundation, Inc.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This code is derived from software contributed to The NetBSD Foundation 7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Wasabi Systems, Inc. 8 * by Wasabi Systems, Inc.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions 11 * modification, are permitted provided that the following conditions
12 * are met: 12 * are met:
13 * 1. Redistributions of source code must retain the above copyright 13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer. 14 * notice, this list of conditions and the following disclaimer.
@@ -56,27 +56,27 @@ @@ -56,27 +56,27 @@
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE. 63 * SUCH DAMAGE.
64 * 64 *
65 * @(#)ufs_vnops.c 8.28 (Berkeley) 7/31/95 65 * @(#)ufs_vnops.c 8.28 (Berkeley) 7/31/95
66 */ 66 */
67 67
68#include <sys/cdefs.h> 68#include <sys/cdefs.h>
69__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.248 2019/09/18 17:59:15 christos Exp $"); 69__KERNEL_RCSID(0, "$NetBSD: ufs_vnops.c,v 1.249 2020/02/26 18:00:12 maxv Exp $");
70 70
71#if defined(_KERNEL_OPT) 71#if defined(_KERNEL_OPT)
72#include "opt_ffs.h" 72#include "opt_ffs.h"
73#include "opt_quota.h" 73#include "opt_quota.h"
74#endif 74#endif
75 75
76#include <sys/param.h> 76#include <sys/param.h>
77#include <sys/systm.h> 77#include <sys/systm.h>
78#include <sys/namei.h> 78#include <sys/namei.h>
79#include <sys/resourcevar.h> 79#include <sys/resourcevar.h>
80#include <sys/kernel.h> 80#include <sys/kernel.h>
81#include <sys/file.h> 81#include <sys/file.h>
82#include <sys/stat.h> 82#include <sys/stat.h>
@@ -863,27 +863,31 @@ ufs_whiteout(void *v) @@ -863,27 +863,31 @@ ufs_whiteout(void *v)
863 /* create a new directory whiteout */ 863 /* create a new directory whiteout */
864 error = UFS_WAPBL_BEGIN(dvp->v_mount); 864 error = UFS_WAPBL_BEGIN(dvp->v_mount);
865 if (error) 865 if (error)
866 break; 866 break;
867 867
868 KASSERTMSG((ump->um_maxsymlinklen > 0), 868 KASSERTMSG((ump->um_maxsymlinklen > 0),
869 "ufs_whiteout: old format filesystem"); 869 "ufs_whiteout: old format filesystem");
870 870
871 newdir = pool_cache_get(ufs_direct_cache, PR_WAITOK); 871 newdir = pool_cache_get(ufs_direct_cache, PR_WAITOK);
872 newdir->d_ino = UFS_WINO; 872 newdir->d_ino = UFS_WINO;
873 newdir->d_namlen = cnp->cn_namelen; 873 newdir->d_namlen = cnp->cn_namelen;
874 memcpy(newdir->d_name, cnp->cn_nameptr, 874 memcpy(newdir->d_name, cnp->cn_nameptr,
875 (size_t)cnp->cn_namelen); 875 (size_t)cnp->cn_namelen);
876 newdir->d_name[cnp->cn_namelen] = '\0'; 876
 877 /* NUL terminate and zero out padding */
 878 memset(&newdir->d_name[cnp->cn_namelen], 0,
 879 UFS_NAMEPAD(cnp->cn_namelen));
 880
877 newdir->d_type = DT_WHT; 881 newdir->d_type = DT_WHT;
878 error = ufs_direnter(dvp, ulr, NULL, newdir, cnp, NULL); 882 error = ufs_direnter(dvp, ulr, NULL, newdir, cnp, NULL);
879 pool_cache_put(ufs_direct_cache, newdir); 883 pool_cache_put(ufs_direct_cache, newdir);
880 break; 884 break;
881 885
882 case DELETE: 886 case DELETE:
883 /* remove an existing directory whiteout */ 887 /* remove an existing directory whiteout */
884 error = UFS_WAPBL_BEGIN(dvp->v_mount); 888 error = UFS_WAPBL_BEGIN(dvp->v_mount);
885 if (error) 889 if (error)
886 break; 890 break;
887 891
888 KASSERTMSG((ump->um_maxsymlinklen > 0), 892 KASSERTMSG((ump->um_maxsymlinklen > 0),
889 "ufs_whiteout: old format filesystem"); 893 "ufs_whiteout: old format filesystem");