aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2018-04-04 05:43:03 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2018-04-04 05:43:03 +0000
commit8411c9ac24aabdbbde468778b35da58dc3c15178 (patch)
tree86ded7fd2b24fcb42a6ef3883c4c6eb617e2dfc1
parent211072860627f05561c829d09714b201a72562cf (diff)
downloadsrc-8411c9ac24aabdbbde468778b35da58dc3c15178.tar.gz
src-8411c9ac24aabdbbde468778b35da58dc3c15178.zip
Fix multiple small kernel memory disclosures. [EN-18:04.mem]releng/10.3
Reported by: Ilja van Sprundel Approved by: so Security: CVE-2018-6919 Security: FreeBSD-EN-18:04.mem
Notes
Notes: svn path=/releng/10.3/; revision=331987
-rw-r--r--sys/compat/svr4/svr4_misc.c1
-rw-r--r--sys/dev/drm/drm_bufs.c1
-rw-r--r--sys/dev/drm/drm_irq.c2
-rw-r--r--sys/dev/hpt27xx/hpt27xx_osm_bsd.c4
-rw-r--r--sys/dev/hptnr/hptnr_osm_bsd.c4
-rw-r--r--sys/dev/hptrr/hptrr_osm_bsd.c4
-rw-r--r--sys/i386/ibcs2/ibcs2_misc.c1
7 files changed, 10 insertions, 7 deletions
diff --git a/sys/compat/svr4/svr4_misc.c b/sys/compat/svr4/svr4_misc.c
index 5d1a4098115b..f01efc5f84ac 100644
--- a/sys/compat/svr4/svr4_misc.c
+++ b/sys/compat/svr4/svr4_misc.c
@@ -260,6 +260,7 @@ svr4_sys_getdents64(td, uap)
u_long *cookies = NULL, *cookiep;
int ncookies;
+ memset(&svr4_dirent, 0, sizeof(svr4_dirent));
DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
uap->fd, uap->nbytes));
error = getvnode(td->td_proc->p_fd, uap->fd,
diff --git a/sys/dev/drm/drm_bufs.c b/sys/dev/drm/drm_bufs.c
index 2d27cd4b88b5..94ab67df6c4b 100644
--- a/sys/dev/drm/drm_bufs.c
+++ b/sys/dev/drm/drm_bufs.c
@@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, struct drm_file *file_priv)
if (dma->bufs[i].buf_count) {
struct drm_buf_desc from;
+ memset(&from, 0, sizeof(from));
from.count = dma->bufs[i].buf_count;
from.size = dma->bufs[i].buf_size;
from.low_mark = dma->bufs[i].freelist.low_mark;
diff --git a/sys/dev/drm/drm_irq.c b/sys/dev/drm/drm_irq.c
index 8977bcf8a562..a69dfd5f8af6 100644
--- a/sys/dev/drm/drm_irq.c
+++ b/sys/dev/drm/drm_irq.c
@@ -357,7 +357,7 @@ int drm_modeset_ctl(struct drm_device *dev, void *data,
goto out;
crtc = modeset->crtc;
- if (crtc >= dev->num_crtcs) {
+ if (crtc < 0 || crtc >= dev->num_crtcs) {
ret = EINVAL;
goto out;
}
diff --git a/sys/dev/hpt27xx/hpt27xx_osm_bsd.c b/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
index 3facf803064f..9c062c61ab7a 100644
--- a/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
+++ b/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
@@ -1402,7 +1402,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1432,7 +1432,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
diff --git a/sys/dev/hptnr/hptnr_osm_bsd.c b/sys/dev/hptnr/hptnr_osm_bsd.c
index de5ce8bc9e43..1312e1edc49a 100644
--- a/sys/dev/hptnr/hptnr_osm_bsd.c
+++ b/sys/dev/hptnr/hptnr_osm_bsd.c
@@ -1584,7 +1584,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1614,7 +1614,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
diff --git a/sys/dev/hptrr/hptrr_osm_bsd.c b/sys/dev/hptrr/hptrr_osm_bsd.c
index ad7d79e34664..14b249006e2c 100644
--- a/sys/dev/hptrr/hptrr_osm_bsd.c
+++ b/sys/dev/hptrr/hptrr_osm_bsd.c
@@ -1231,7 +1231,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1261,7 +1261,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
diff --git a/sys/i386/ibcs2/ibcs2_misc.c b/sys/i386/ibcs2/ibcs2_misc.c
index 270147145812..b0e1dff30cb0 100644
--- a/sys/i386/ibcs2/ibcs2_misc.c
+++ b/sys/i386/ibcs2/ibcs2_misc.c
@@ -352,6 +352,7 @@ ibcs2_getdents(td, uap)
#define BSD_DIRENT(cp) ((struct dirent *)(cp))
#define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short))
+ memset(&idb, 0, sizeof(idb));
error = getvnode(td->td_proc->p_fd, uap->fd,
cap_rights_init(&rights, CAP_READ), &fp);
if (error != 0)