svn commit: r327497 - head/sys/dev/hpt27xx

[Ed Maste]

Author: emaste
Date: Tue Jan  2 18:29:44 2018
New Revision: 327497
URL: https://svnweb.freebsd.org/changeset/base/327497

Log:
  hpt27xx: plug info leak in hpt_ioctl
  
  The hpt27xx ioctl handler allocates a buffer without M_ZERO and calls
  hpt_do_ioctl(), which might not overwrite the entire buffer.
  
  Also zero bytesReturned in case it is not written by hpt_do_ioctl().
  
  The hpt27xx device has permissions only for root so this is not urgent,
  and the fix can be MFCd and considered for a future EN.
  
  Reported by:	Ilja van Sprundel <ivansprundel at ioactive.com>
  Submitted by:	Domagoj Stolfa <domagoj.stolfa at gmail.com> (M_ZERO)
  Reviewed by:	jhb, kib
  MFC after:	3 days
  Security:	info leak in root-only ioctl
  Sponsored by:	The FreeBSD Foundation

Modified:
  head/sys/dev/hpt27xx/hpt27xx_osm_bsd.c

Modified: head/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
==============================================================================
--- head/sys/dev/hpt27xx/hpt27xx_osm_bsd.c	Tue Jan  2 18:11:54 2018	(r327496)
+++ head/sys/dev/hpt27xx/hpt27xx_osm_bsd.c	Tue Jan  2 18:29:44 2018	(r327497)
@@ -1404,7 +1404,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
 	PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
 	IOCTL_ARG ioctl_args;
-	HPT_U32 bytesReturned;
+	HPT_U32 bytesReturned = 0;
 
 	switch (cmd){
 	case HPT_DO_IOCONTROL:
@@ -1434,7 +1434,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 		}
 	
 		if (ioctl_args.nOutBufferSize) {
-			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
 			if (!ioctl_args.lpOutBuffer)
 				goto invalid;
 		}