CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	cem <cem@FreeBSD.org>
	Fri, 10 May 2019 21:55:11 +0000 (21:55 +0000)
committer	cem <cem@FreeBSD.org>
	Fri, 10 May 2019 21:55:11 +0000 (21:55 +0000)
commit	de66b6077bed4e5465663bf2ce2eac2ce3679ec7
tree	23b4dcde7ae390db9fb768886010a0396443d9d1	tree \| snapshot
parent	909cac0308c7429ffe8087ebf187dee2ee9ec49f	commit \| diff

netdump: Don't store sensitive key data we don't need

Prior to this revision, struct diocskerneldump_arg (and struct netdump_conf
with embedded diocskerneldump_arg before r347192), were copied in their
entirety to the global 'nd_conf' variable. Also prior to this revision,
de-configuring netdump would *not* remove the the key material from global
nd_conf.

As part of Encrypted Kernel Crash Dumps (EKCD), which was developed
contemporaneously with netdump but happened to land first, the
diocskerneldump_arg structure will contain sensitive key material
(kda_key[]) when encrypted dumps are configured.

Netdump doesn't have any use for the key data -- encryption is handled in
the core dumper code -- so in this revision, we no longer store it.

Unfortunately, I think this leak dates to the initial import of netdump in
r333283; so it's present in FreeBSD 12.0.

Fortunately, the impact *seems* relatively minor. Any new *netdump*
configuration would overwrite the key material; for active encrypted netdump
configurations, the key data stored was just a duplicate of the key material
already in the core dumper code; and no user interface (other than
/dev/kmem) actually exposed the leaked material to userspace.

Reviewed by: markj, rpokala (earlier commit message)
MFC after: 2 weeks
Security: yes (minor)
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D20233