svn commit: r333372 - in releng: 10.4/sys/compat/linux 10.4/sys/dev/ath 11.1/sys/compat/linux 11.1/sys/dev/ath 11.1/sys/netinet
Gordon Tetlow
gordon at FreeBSD.org
Tue May 8 17:14:58 UTC 2018
Author: gordon
Date: Tue May 8 17:14:54 2018
New Revision: 333372
URL: https://svnweb.freebsd.org/changeset/base/333372
Log:
Fix multiple small kernel memory disclosures. [EN-18:05.mem]
Approved by: so
Security: CVE-2018-6920
Security: CVE-2018-6921
Security: FreeBSD-EN-18:05.mem
Modified:
releng/10.4/sys/compat/linux/linux_ioctl.c
releng/10.4/sys/compat/linux/linux_ipc.c
releng/10.4/sys/dev/ath/if_ath_btcoex.c
releng/10.4/sys/dev/ath/if_ath_lna_div.c
releng/10.4/sys/dev/ath/if_ath_spectral.c
releng/11.1/sys/compat/linux/linux_ioctl.c
releng/11.1/sys/compat/linux/linux_ipc.c
releng/11.1/sys/dev/ath/if_ath_btcoex.c
releng/11.1/sys/dev/ath/if_ath_ioctl.c
releng/11.1/sys/dev/ath/if_ath_lna_div.c
releng/11.1/sys/dev/ath/if_ath_spectral.c
releng/11.1/sys/netinet/tcp_usrreq.c
Modified: releng/10.4/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/10.4/sys/compat/linux/linux_ioctl.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/10.4/sys/compat/linux/linux_ioctl.c Tue May 8 17:14:54 2018 (r333372)
@@ -246,6 +246,7 @@ linux_ioctl_hdio(struct thread *td, struct linux_ioctl
} else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) {
struct linux_hd_big_geometry hdbg;
+ memset(&hdbg, 0, sizeof(hdbg));
hdbg.cylinders = fwcylinders;
hdbg.heads = fwheads;
hdbg.sectors = fwsectors;
@@ -2426,6 +2427,7 @@ linux_ioctl_socket(struct thread *td, struct linux_ioc
printf("%s(): ioctl %d on %.*s\n", __func__,
args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname);
#endif
+ memset(ifname, 0, sizeof(ifname));
ifp = ifname_linux_to_bsd(td, lifname, ifname);
if (ifp == NULL)
return (EINVAL);
Modified: releng/10.4/sys/compat/linux/linux_ipc.c
==============================================================================
--- releng/10.4/sys/compat/linux/linux_ipc.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/10.4/sys/compat/linux/linux_ipc.c Tue May 8 17:14:54 2018 (r333372)
@@ -516,6 +516,9 @@ linux_semctl(struct thread *td, struct linux_semctl_ar
register_t rval;
int cmd, error;
+ memset(&linux_seminfo, 0, sizeof(linux_seminfo));
+ memset(&linux_semid, 0, sizeof(linux_semid));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_RMID:
cmd = IPC_RMID;
@@ -661,12 +664,15 @@ linux_msgctl(struct thread *td, struct linux_msgctl_ar
struct l_msqid_ds linux_msqid;
struct msqid_ds bsd_msqid;
+ memset(&linux_msqid, 0, sizeof(linux_msqid));
+
bsd_cmd = args->cmd & ~LINUX_IPC_64;
switch (bsd_cmd) {
case LINUX_IPC_INFO:
case LINUX_MSG_INFO: {
struct l_msginfo linux_msginfo;
+ memset(&linux_msginfo, 0, sizeof(linux_msginfo));
/*
* XXX MSG_INFO uses the same data structure but returns different
* dynamic counters in msgpool, msgmap, and msgtql fields.
@@ -788,6 +794,10 @@ linux_shmctl(struct thread *td, struct linux_shmctl_ar
struct l_shm_info linux_shm_info;
struct shmid_ds bsd_shmid;
int error;
+
+ memset(&linux_shm_info, 0, sizeof(linux_shm_info));
+ memset(&linux_shmid, 0, sizeof(linux_shmid));
+ memset(&linux_shminfo, 0, sizeof(linux_shminfo));
switch (args->cmd & ~LINUX_IPC_64) {
Modified: releng/10.4/sys/dev/ath/if_ath_btcoex.c
==============================================================================
--- releng/10.4/sys/dev/ath/if_ath_btcoex.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/10.4/sys/dev/ath/if_ath_btcoex.c Tue May 8 17:14:54 2018 (r333372)
@@ -321,7 +321,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -330,6 +330,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
Modified: releng/10.4/sys/dev/ath/if_ath_lna_div.c
==============================================================================
--- releng/10.4/sys/dev/ath/if_ath_lna_div.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/10.4/sys/dev/ath/if_ath_lna_div.c Tue May 8 17:14:54 2018 (r333372)
@@ -185,7 +185,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -194,6 +194,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
Modified: releng/10.4/sys/dev/ath/if_ath_spectral.c
==============================================================================
--- releng/10.4/sys/dev/ath/if_ath_spectral.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/10.4/sys/dev/ath/if_ath_spectral.c Tue May 8 17:14:54 2018 (r333372)
@@ -210,7 +210,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -273,6 +273,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
break;
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
Modified: releng/11.1/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/11.1/sys/compat/linux/linux_ioctl.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/11.1/sys/compat/linux/linux_ioctl.c Tue May 8 17:14:54 2018 (r333372)
@@ -253,6 +253,7 @@ linux_ioctl_hdio(struct thread *td, struct linux_ioctl
} else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) {
struct linux_hd_big_geometry hdbg;
+ memset(&hdbg, 0, sizeof(hdbg));
hdbg.cylinders = fwcylinders;
hdbg.heads = fwheads;
hdbg.sectors = fwsectors;
@@ -2477,6 +2478,7 @@ linux_ioctl_socket(struct thread *td, struct linux_ioc
printf("%s(): ioctl %d on %.*s\n", __func__,
args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname);
#endif
+ memset(ifname, 0, sizeof(ifname));
ifp = ifname_linux_to_bsd(td, lifname, ifname);
if (ifp == NULL)
return (EINVAL);
Modified: releng/11.1/sys/compat/linux/linux_ipc.c
==============================================================================
--- releng/11.1/sys/compat/linux/linux_ipc.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/11.1/sys/compat/linux/linux_ipc.c Tue May 8 17:14:54 2018 (r333372)
@@ -548,6 +548,9 @@ linux_semctl(struct thread *td, struct linux_semctl_ar
register_t rval;
int cmd, error;
+ memset(&linux_seminfo, 0, sizeof(linux_seminfo));
+ memset(&linux_semid64, 0, sizeof(linux_semid64));
+
switch (args->cmd & ~LINUX_IPC_64) {
case LINUX_IPC_RMID:
cmd = IPC_RMID;
@@ -702,12 +705,15 @@ linux_msgctl(struct thread *td, struct linux_msgctl_ar
struct l_msqid64_ds linux_msqid64;
struct msqid_ds bsd_msqid;
+ memset(&linux_msqid64, 0, sizeof(linux_msqid64));
+
bsd_cmd = args->cmd & ~LINUX_IPC_64;
switch (bsd_cmd) {
case LINUX_IPC_INFO:
case LINUX_MSG_INFO: {
struct l_msginfo linux_msginfo;
+ memset(&linux_msginfo, 0, sizeof(linux_msginfo));
/*
* XXX MSG_INFO uses the same data structure but returns different
* dynamic counters in msgpool, msgmap, and msgtql fields.
@@ -832,6 +838,10 @@ linux_shmctl(struct thread *td, struct linux_shmctl_ar
struct l_shm_info linux_shm_info;
struct shmid_ds bsd_shmid;
int error;
+
+ memset(&linux_shm_info, 0, sizeof(linux_shm_info));
+ memset(&linux_shmid64, 0, sizeof(linux_shmid64));
+ memset(&linux_shminfo64, 0, sizeof(linux_shminfo64));
switch (args->cmd & ~LINUX_IPC_64) {
Modified: releng/11.1/sys/dev/ath/if_ath_btcoex.c
==============================================================================
--- releng/11.1/sys/dev/ath/if_ath_btcoex.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/11.1/sys/dev/ath/if_ath_btcoex.c Tue May 8 17:14:54 2018 (r333372)
@@ -457,7 +457,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -466,6 +466,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
Modified: releng/11.1/sys/dev/ath/if_ath_ioctl.c
==============================================================================
--- releng/11.1/sys/dev/ath/if_ath_ioctl.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/11.1/sys/dev/ath/if_ath_ioctl.c Tue May 8 17:14:54 2018 (r333372)
@@ -197,7 +197,7 @@ ath_ioctl_diag(struct ath_softc *sc, struct ath_diag *
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
Modified: releng/11.1/sys/dev/ath/if_ath_lna_div.c
==============================================================================
--- releng/11.1/sys/dev/ath/if_ath_lna_div.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/11.1/sys/dev/ath/if_ath_lna_div.c Tue May 8 17:14:54 2018 (r333372)
@@ -187,7 +187,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -196,6 +196,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
Modified: releng/11.1/sys/dev/ath/if_ath_spectral.c
==============================================================================
--- releng/11.1/sys/dev/ath/if_ath_spectral.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/11.1/sys/dev/ath/if_ath_spectral.c Tue May 8 17:14:54 2018 (r333372)
@@ -212,7 +212,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -275,6 +275,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
break;
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
Modified: releng/11.1/sys/netinet/tcp_usrreq.c
==============================================================================
--- releng/11.1/sys/netinet/tcp_usrreq.c Tue May 8 17:12:10 2018 (r333371)
+++ releng/11.1/sys/netinet/tcp_usrreq.c Tue May 8 17:14:54 2018 (r333372)
@@ -1495,7 +1495,9 @@ tcp_ctloutput(struct socket *so, struct sockopt *sopt)
return (error);
} else if ((sopt->sopt_dir == SOPT_GET) &&
(sopt->sopt_name == TCP_FUNCTION_BLK)) {
- strcpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name);
+ strncpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name,
+ TCP_FUNCTION_NAME_LEN_MAX);
+ fsn.function_set_name[TCP_FUNCTION_NAME_LEN_MAX - 1] = '\0';
fsn.pcbcnt = tp->t_fb->tfb_refcnt;
INP_WUNLOCK(inp);
error = sooptcopyout(sopt, &fsn, sizeof fsn);
More information about the svn-src-all
mailing list