From kbyanc@kronos.alcnet.com Wed Nov 17 17:16:23 1999
Return-Path: <kbyanc@kronos.alcnet.com>
Received: from kronos.alcnet.com (kronos.alcnet.com [63.69.28.22])
	by hub.freebsd.org (Postfix) with ESMTP id 77AC014EC5
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 17 Nov 1999 17:16:21 -0800 (PST)
	(envelope-from kbyanc@kronos.alcnet.com)
Received: (from kbyanc@localhost)
	by kronos.alcnet.com (8.9.3/8.9.3/antispam) id UAA18313;
	Wed, 17 Nov 1999 20:16:21 -0500 (EST)
Message-Id: <199911180116.UAA18313@kronos.alcnet.com>
Date: Wed, 17 Nov 1999 20:16:21 -0500 (EST)
From: kbyanc@posi.net
Sender: kbyanc@kronos.alcnet.com
Reply-To: kbyanc@posi.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: patch to zero spare stat fields
X-Send-Pr-Version: 3.2

>Number:         14966
>Category:       kern
>Synopsis:       patch to zero spare stat fields
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 17 17:20:01 PST 1999
>Closed-Date:    Thu Nov 18 00:16:08 PST 1999
>Last-Modified:  Thu Nov 18 00:16:25 PST 1999
>Originator:     Kelly Yancey
>Release:        FreeBSD 3.2-STABLE i386
>Organization:
>Environment:

  Tested on recently-built 3.3-STABLE box. Should apply cleanly to -current also.

>Description:

  The stat structure defines 2 spare fields which were filled with random contents from the kernel stack. After
some discussion on freebsd-security
http://docs.freebsd.org/cgi/mid.cgi?db=irt&id=Pine.BSF.4.05.9911171152270.8195-100000@kronos.alcnet.com
  it was suggested that if a program was ever to be able to test for the presence of valid values in new fields
which may use the currently spare space, then we need to zero that space now. This patch zeros the spare fields of
both struct stat and struct nstat (ostat doesn't contain any spare fields) with minimal impact on the code.

  Actually this patch also fixed a slight mistake in the ofstat code which filled in the ostat structure even if
an error occurred. The patch changes ostat to behave more like nfstat and only copy the structure if an error has
not occurred.

  Kelly

>How-To-Repeat:

  Call stat() twice on a file with an intervening syscall and memcmp the 2 structures you get back. Even if the
file's metadata has not changed, the structures will differ (specifically the spare fields will differ).

>Fix:
	
  Apply this patch in /sys/kern:

--- kern_descrip.c.orig	Wed Nov 17 19:50:15 1999
+++ kern_descrip.c	Wed Nov 17 19:50:45 1999
@@ -548,9 +548,10 @@
 		panic("ofstat");
 		/*NOTREACHED*/
 	}
-	cvtstat(&ub, &oub);
-	if (error == 0)
+	if (error == 0) {
+		cvtstat(&ub, &oub);
 		error = copyout((caddr_t)&oub, (caddr_t)uap->sb, sizeof (oub));
+	}
 	return (error);
 }
 #endif /* COMPAT_43 || COMPAT_SUNOS */
--- vfs_syscalls.c.orig	Mon Nov 15 23:25:48 1999
+++ vfs_syscalls.c	Wed Nov 17 19:53:32 1999
@@ -1677,6 +1677,8 @@
 	nsb->st_blksize = sb->st_blksize;
 	nsb->st_flags = sb->st_flags;
 	nsb->st_gen = sb->st_gen;
+	nsb->st_qspare[0] = sb->st_qspare[0];
+	nsb->st_qspare[1] = sb->st_qspare[1];
 }
 
 #ifndef _SYS_SYSPROTO_H_
--- vfs_vnops.c.orig	Wed Nov 17 19:42:30 1999
+++ vfs_vnops.c	Wed Nov 17 19:54:28 1999
@@ -375,6 +375,14 @@
 	error = VOP_GETATTR(vp, vap, p->p_ucred, p);
 	if (error)
 		return (error);
+
+	/*
+	 * Zero the spare stat fields
+	 */
+	sb->st_lspare = 0;
+	sb->st_qspare[0] = 0;
+	sb->st_qspare[1] = 0;
+
 	/*
 	 * Copy from vattr table
 	 */


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Thu Nov 18 00:16:08 PST 1999 
State-Changed-Why:  
Patch committed to -current and -stable 
>Unformatted:
