From nobody Thu Oct 30 14:10:13 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cy5bn3pyBz6DGyt;
	Thu, 30 Oct 2025 14:10:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cy5bn35fvz3Rvh;
	Thu, 30 Oct 2025 14:10:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1761833413;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WhbTYaUhY2fD8IBqXP+I2pjsHXI1qc8oSOTbIxHQBx4=;
	b=yyZmwQswKFmZJf4H3IDso3vudW6OfTU41JVhG2O+IksJ0GK3fBCLx80WHFGF9HIYZGZEAD
	rX1xP8kqndLPoGQ8y4/Cjkod7Xs7s2xaTbhUAjaCQe23qNpSXWioOJaO+n0ZnCnoNLsHey
	CML5yJHVk3GRVn6rHhxsjUpVmETpXr/OnJjySKBrFvBBNCIMmJnefc/eYnzlDZUPH0N6Wz
	GUpbjH8JH7F939VGMwRCldkuLqjzh3MK2sOUAwWLWiP9Aixt12zV12qpy3bVmkedEkoswn
	kPMdY2+JOPINiaBW5xRuFxD/gr0UAIxvV/V+lfRSHnc3urM06wCsXU0zAZOWrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1761833413;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=WhbTYaUhY2fD8IBqXP+I2pjsHXI1qc8oSOTbIxHQBx4=;
	b=s7ib314v+tPJwrE05350mkeYmymuyo27vezGldtZWHHtgPVtuCIRSpngtJ3CjpTOflnsEy
	fK2zmynKBwH7MtUvA4tPvtl+0oM57kH5oUtfyReKqP2uxn3+a8eNHgyqTQfmNB3wby96mh
	6JYnbloXw4QyZ/fmgjWf8xOsath/16JY1zIWZqdK1TBV88RMYbHWHN8sh/Zemkc6WgEEyS
	r0aZOpweTCkwjRlCvmqzz7yp4DyzfwavCZgyHOxYJYsi7xruGVbFuYv6qwjGihASvE/P+8
	6+wrHNU5U9e63dhRZ1q5ILdHJnZC1faTuPRjxocc45Wi1IUlliBPkd+uTdH8WQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1761833413; a=rsa-sha256; cv=none;
	b=JbnOAHQw0SMEqAWqQG6cIVDqTMM+jWBma2l8rxFunYJNcpLJXe5MnWYyS2GVuHR+jbBgvG
	QTgwbvuOnilMlVq9C+FiLAJ+nGjBoFuTArP8oBaJRHLZ0c51VLMzmxR1aATVbeQpogZt0h
	IPO0KVu6VEVXscNPdX+q1HJUTaIidgJJmdZixDzDFWFQSa8intrjScINOKXsSQLHlB1nNt
	9NRSRXt3tep6x35Utq9Pak5+6AhGCKdJEdQvxnADJPLjOrXltgkLccwxjsP2ErB3Ye5pHJ
	boanT5pDPXTpVaxCtpwcplyRW5yOf9A7u5FSlH70i/EV6lTG3wTtIKHKdQJ/Lg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cy5bn2c7Hz99X;
	Thu, 30 Oct 2025 14:10:13 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 59UEAD4F085350;
	Thu, 30 Oct 2025 14:10:13 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 59UEADBO085342;
	Thu, 30 Oct 2025 14:10:13 GMT
	(envelope-from git)
Date: Thu, 30 Oct 2025 14:10:13 GMT
Message-Id: <202510301410.59UEADBO085342@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 83f74730dba1 - stable/13 - altq: Clear stats structures
  in get_class_stats()
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 83f74730dba10190ee157be129d4dce46592ab2a
Auto-Submitted: auto-generated

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=83f74730dba10190ee157be129d4dce46592ab2a

commit 83f74730dba10190ee157be129d4dce46592ab2a
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-10-27 16:27:40 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-10-30 14:09:58 +0000

    altq: Clear stats structures in get_class_stats()
    
    These structures are copied out to userspace, and it's possible to leak
    uninitialized stack bytes since these routines and their callers weren't
    careful to clear them first.  Add memsets to avoid this.
    
    Reported by:    Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed by:    kp, emaste
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D53342
    
    (cherry picked from commit ff08916e9ac689e6ce734de72325fc2bd9495a35)
---
 sys/net/altq/altq_cbq.c   | 2 ++
 sys/net/altq/altq_fairq.c | 2 ++
 sys/net/altq/altq_priq.c  | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/sys/net/altq/altq_cbq.c b/sys/net/altq/altq_cbq.c
index bcba09267289..07c61fccb19b 100644
--- a/sys/net/altq/altq_cbq.c
+++ b/sys/net/altq/altq_cbq.c
@@ -172,6 +172,8 @@ cbq_request(struct ifaltq *ifq, int req, void *arg)
 static void
 get_class_stats(class_stats_t *statsp, struct rm_class *cl)
 {
+	memset(statsp, 0, sizeof(*statsp));
+
 	statsp->xmit_cnt	= cl->stats_.xmit_cnt;
 	statsp->drop_cnt	= cl->stats_.drop_cnt;
 	statsp->over		= cl->stats_.over;
diff --git a/sys/net/altq/altq_fairq.c b/sys/net/altq/altq_fairq.c
index e20eea91b1a1..49046da24594 100644
--- a/sys/net/altq/altq_fairq.c
+++ b/sys/net/altq/altq_fairq.c
@@ -856,6 +856,8 @@ get_class_stats(struct fairq_classstats *sp, struct fairq_class *cl)
 {
 	fairq_bucket_t *b;
 
+	memset(sp, 0, sizeof(*sp));
+
 	sp->class_handle = cl->cl_handle;
 	sp->qlimit = cl->cl_qlimit;
 	sp->xmit_cnt = cl->cl_xmitcnt;
diff --git a/sys/net/altq/altq_priq.c b/sys/net/altq/altq_priq.c
index 32ebfdefbfbe..8023dc12e029 100644
--- a/sys/net/altq/altq_priq.c
+++ b/sys/net/altq/altq_priq.c
@@ -597,6 +597,8 @@ priq_purgeq(struct priq_class *cl)
 static void
 get_class_stats(struct priq_classstats *sp, struct priq_class *cl)
 {
+	memset(sp, 0, sizeof(*sp));
+
 	sp->class_handle = cl->cl_handle;
 	sp->qlength = qlen(cl->cl_q);
 	sp->qlimit = qlimit(cl->cl_q);