aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2005-05-06 02:50:35 +0000
committerColin Percival <cperciva@FreeBSD.org>2005-05-06 02:50:35 +0000
commit7158f23c2ae2f5994437b6c7e4fda55129910670 (patch)
tree2e00e39697da2413f7bf4254fde409838d35e994
parentc7be66d1904c2bc85c73040d0b98529bd9ad5a92 (diff)
downloadsrc-7158f23c2ae2f5994437b6c7e4fda55129910670.tar.gz
src-7158f23c2ae2f5994437b6c7e4fda55129910670.zip
If we are going to
1. Copy a NULL-terminated string into a fixed-length buffer, and 2. copyout that buffer to userland, we really ought to 0. Zero the entire buffer first. Security: FreeBSD-SA-05:08.kmem Approved by: so (cperciva)
Notes
Notes: svn path=/releng/4.11/; revision=145954
-rw-r--r--UPDATING3
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/kern/vfs_subr.c1
-rw-r--r--sys/net/if_mib.c1
-rw-r--r--sys/netinet/ip_divert.c1
-rw-r--r--sys/netinet/raw_ip.c1
-rw-r--r--sys/netinet/udp_usrreq.c1
7 files changed, 9 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index 090b9516dd03..d4f0e50b70aa 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,9 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20050506: p7 FreeBSD-SA-05:08.kmem
+ Correct several local kernel memory disclosure bugs.
+
20050506: p6 FreeBSD-SA-05:07.ldt
Correctly validate inputs to the i386_get_ldt syscall.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 40c0bbd17870..42557719c296 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.11"
-BRANCH="RELEASE-p6"
+BRANCH="RELEASE-p7"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index a4105d342ceb..1a8c526dd421 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -2302,6 +2302,7 @@ sysctl_ovfs_conf(SYSCTL_HANDLER_ARGS)
struct ovfsconf ovfs;
for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next) {
+ bzero(&ovfs, sizeof(ovfs));
ovfs.vfc_vfsops = vfsp->vfc_vfsops; /* XXX used as flag */
strcpy(ovfs.vfc_name, vfsp->vfc_name);
ovfs.vfc_index = vfsp->vfc_typenum;
diff --git a/sys/net/if_mib.c b/sys/net/if_mib.c
index 856c8020c32a..313aea4fa213 100644
--- a/sys/net/if_mib.c
+++ b/sys/net/if_mib.c
@@ -91,6 +91,7 @@ sysctl_ifdata(SYSCTL_HANDLER_ARGS) /* XXX bad syntax! */
return ENOENT;
case IFDATA_GENERAL:
+ bzero(&ifmd, sizeof(ifmd));
ifnlen = snprintf(workbuf, sizeof(workbuf),
"%s%d", ifp->if_name, ifp->if_unit);
if(ifnlen + 1 > sizeof ifmd.ifmd_name) {
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index 126b85b432cd..6c80d7273cc3 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -478,6 +478,7 @@ div_pcblist(SYSCTL_HANDLER_ARGS)
inp = inp_list[i];
if (inp->inp_gencnt <= gencnt) {
struct xinpcb xi;
+ bzero(&xi, sizeof(xi));
xi.xi_len = sizeof xi;
/* XXX should avoid extra copy */
bcopy(inp, &xi.xi_inp, sizeof *inp);
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index e3c4ad727740..2fe14c077882 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -686,6 +686,7 @@ rip_pcblist(SYSCTL_HANDLER_ARGS)
inp = inp_list[i];
if (inp->inp_gencnt <= gencnt) {
struct xinpcb xi;
+ bzero(&xi, sizeof(xi));
xi.xi_len = sizeof xi;
/* XXX should avoid extra copy */
bcopy(inp, &xi.xi_inp, sizeof *inp);
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index eb401502b683..ff504502e628 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -612,6 +612,7 @@ udp_pcblist(SYSCTL_HANDLER_ARGS)
inp = inp_list[i];
if (inp->inp_gencnt <= gencnt) {
struct xinpcb xi;
+ bzero(&xi, sizeof(xi));
xi.xi_len = sizeof xi;
/* XXX should avoid extra copy */
bcopy(inp, &xi.xi_inp, sizeof *inp);