aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2018-05-08 17:14:54 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2018-05-08 17:14:54 +0000
commitf65f856cd0d69a4cbc4103c7bb54d89cab709bb6 (patch)
treebc9d33b202825d3a66a1680abad21dc91f53d478
parentc6af5b6b13312561d61dffbb12b02288064f74af (diff)
downloadsrc-f65f856cd0d69a4cbc4103c7bb54d89cab709bb6.tar.gz
src-f65f856cd0d69a4cbc4103c7bb54d89cab709bb6.zip
Fix multiple small kernel memory disclosures. [EN-18:05.mem]
Approved by: so Security: CVE-2018-6920 Security: CVE-2018-6921 Security: FreeBSD-EN-18:05.mem
Notes
Notes: svn path=/releng/11.1/; revision=333372
-rw-r--r--sys/compat/linux/linux_ioctl.c2
-rw-r--r--sys/compat/linux/linux_ipc.c10
-rw-r--r--sys/dev/ath/if_ath_btcoex.c3
-rw-r--r--sys/dev/ath/if_ath_ioctl.c2
-rw-r--r--sys/dev/ath/if_ath_lna_div.c3
-rw-r--r--sys/dev/ath/if_ath_spectral.c3
-rw-r--r--sys/netinet/tcp_usrreq.c4
7 files changed, 22 insertions, 5 deletions
diff --git a/sys/compat/linux/linux_ioctl.c b/sys/compat/linux/linux_ioctl.c
index b77db6c34dde..5c30c1929f5d 100644
--- a/sys/compat/linux/linux_ioctl.c
+++ b/sys/compat/linux/linux_ioctl.c
@@ -253,6 +253,7 @@ linux_ioctl_hdio(struct thread *td, struct linux_ioctl_args *args)
} else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) {
struct linux_hd_big_geometry hdbg;
+ memset(&hdbg, 0, sizeof(hdbg));
hdbg.cylinders = fwcylinders;
hdbg.heads = fwheads;
hdbg.sectors = fwsectors;
@@ -2477,6 +2478,7 @@ linux_ioctl_socket(struct thread *td, struct linux_ioctl_args *args)
printf("%s(): ioctl %d on %.*s\n", __func__,
args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname);
#endif
+ memset(ifname, 0, sizeof(ifname));
ifp = ifname_linux_to_bsd(td, lifname, ifname);
if (ifp == NULL)
return (EINVAL);
diff --git a/sys/compat/linux/linux_ipc.c b/sys/compat/linux/linux_ipc.c
index 9fa1fed6d8e1..cd01c411f7ea 100644
--- a/sys/compat/linux/linux_ipc.c
+++ b/sys/compat/linux/linux_ipc.c
@@ -548,6 +548,9 @@ linux_semctl(struct thread *td, struct linux_semctl_args *args)
register_t rval;
int cmd, error;
+ memset(&linux_seminfo, 0, sizeof(linux_seminfo));
+ memset(&linux_semid64, 0, sizeof(linux_semid64));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_RMID:
cmd = IPC_RMID;
@@ -702,12 +705,15 @@ linux_msgctl(struct thread *td, struct linux_msgctl_args *args)
struct l_msqid64_ds linux_msqid64;
struct msqid_ds bsd_msqid;
+ memset(&linux_msqid64, 0, sizeof(linux_msqid64));
+
bsd_cmd = args->cmd & ~LINUX_IPC_64;
switch (bsd_cmd) {
case LINUX_IPC_INFO:
case LINUX_MSG_INFO: {
struct l_msginfo linux_msginfo;
+ memset(&linux_msginfo, 0, sizeof(linux_msginfo));
/*
* XXX MSG_INFO uses the same data structure but returns different
* dynamic counters in msgpool, msgmap, and msgtql fields.
@@ -833,6 +839,10 @@ linux_shmctl(struct thread *td, struct linux_shmctl_args *args)
struct shmid_ds bsd_shmid;
int error;
+ memset(&linux_shm_info, 0, sizeof(linux_shm_info));
+ memset(&linux_shmid64, 0, sizeof(linux_shmid64));
+ memset(&linux_shminfo64, 0, sizeof(linux_shminfo64));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_INFO: {
diff --git a/sys/dev/ath/if_ath_btcoex.c b/sys/dev/ath/if_ath_btcoex.c
index f071fc4ee7d2..002483a14ae5 100644
--- a/sys/dev/ath/if_ath_btcoex.c
+++ b/sys/dev/ath/if_ath_btcoex.c
@@ -457,7 +457,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag *ad)
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -466,6 +466,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag *ad)
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
diff --git a/sys/dev/ath/if_ath_ioctl.c b/sys/dev/ath/if_ath_ioctl.c
index 1128c18eea27..73c1ca236001 100644
--- a/sys/dev/ath/if_ath_ioctl.c
+++ b/sys/dev/ath/if_ath_ioctl.c
@@ -197,7 +197,7 @@ ath_ioctl_diag(struct ath_softc *sc, struct ath_diag *ad)
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
diff --git a/sys/dev/ath/if_ath_lna_div.c b/sys/dev/ath/if_ath_lna_div.c
index 5c102fb97607..ec859248c7cc 100644
--- a/sys/dev/ath/if_ath_lna_div.c
+++ b/sys/dev/ath/if_ath_lna_div.c
@@ -187,7 +187,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_diag *ad)
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -196,6 +196,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_diag *ad)
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
diff --git a/sys/dev/ath/if_ath_spectral.c b/sys/dev/ath/if_ath_spectral.c
index e4afdaefbbb8..d8f9e8a890f2 100644
--- a/sys/dev/ath/if_ath_spectral.c
+++ b/sys/dev/ath/if_ath_spectral.c
@@ -212,7 +212,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_diag *ad)
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -275,6 +275,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_diag *ad)
break;
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index 6a7bf001166d..64f8562c7b2f 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -1495,7 +1495,9 @@ tcp_ctloutput(struct socket *so, struct sockopt *sopt)
return (error);
} else if ((sopt->sopt_dir == SOPT_GET) &&
(sopt->sopt_name == TCP_FUNCTION_BLK)) {
- strcpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name);
+ strncpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name,
+ TCP_FUNCTION_NAME_LEN_MAX);
+ fsn.function_set_name[TCP_FUNCTION_NAME_LEN_MAX - 1] = '\0';
fsn.pcbcnt = tp->t_fb->tfb_refcnt;
INP_WUNLOCK(inp);
error = sooptcopyout(sopt, &fsn, sizeof fsn);