Temat: [FreeBSD] setlogin(2) kernel stack disclosure

Mateusz Guzik odnalazł ciekawą lukę. Warto łatać.

I. Background

The setlogin(2) system call sets the login name of the user associated
with the current session. The getlogin(2) routine returns the login name
of the user associated with the current session, as previously set by
setlogin(2).

II. Problem Description

When setlogin(2) is called while setting up a new login session, the
login name is copied into an uninitialized stack buffer, which is then
copied into a buffer of the same size in the session structure. The
getlogin(2) system call returns the entire buffer rather than just the
portion occupied by the login name associated with the session.

III. Impact

An unprivileged user can access this memory by calling getlogin(2) and
reading beyond the terminating NUL character of the resulting string.
Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory
may be leaked in this manner for each invocation of setlogin(2).

This memory may contain sensitive information, such as portions of the
file cache or terminal buffers, which an attacker might leverage to
obtain elevated privileges.

[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-...

Temat: [FreeBSD] setlogin(2) kernel stack disclosure

Czyli to nie tylko nie będzie rok linuxa (bash,ssl) :) ?