svn commit: r331329 - head/sys/i386/ibcs2

[Ed Maste]

Author: emaste
Date: Wed Mar 21 23:26:42 2018
New Revision: 331329
URL: https://svnweb.freebsd.org/changeset/base/331329

Log:
  Fix kernel memory disclosure in ibcs2_getdents
  
  ibcs2_getdents() copies a dirent structure to userland.  The ibcs2
  dirent structure contains a 2 byte pad element.  This element is never
  initialized, but copied to userland none-the-less.
  
  Note that ibcs2 has not built on HEAD since r302095.
  
  Submitted by:	Domagoj Stolfa <ds815 at cam.ac.uk>
  Reported by:	Ilja Van Sprundel <ivansprundel at ioactive.com>
  MFC after:	3 days
  Security:	Kernel memory disclosure (803)

Modified:
  head/sys/i386/ibcs2/ibcs2_misc.c

Modified: head/sys/i386/ibcs2/ibcs2_misc.c
==============================================================================
--- head/sys/i386/ibcs2/ibcs2_misc.c	Wed Mar 21 23:21:32 2018	(r331328)
+++ head/sys/i386/ibcs2/ibcs2_misc.c	Wed Mar 21 23:26:42 2018	(r331329)
@@ -330,6 +330,7 @@ ibcs2_getdents(struct thread *td, struct ibcs2_getdent
 #define	BSD_DIRENT(cp)		((struct dirent *)(cp))
 #define	IBCS2_RECLEN(reclen)	(reclen + sizeof(u_short))
 
+	memset(&idb, 0, sizeof(idb));
 	error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
 	if (error != 0)
 		return (error);