svn commit: r327588 - in stable/11/sys/dev: hpt27xx hptnr hptrr

Fri Jan 5 16:04:58 UTC 2018

Author: emaste
Date: Fri Jan  5 16:04:56 2018
New Revision: 327588
URL: https://svnweb.freebsd.org/changeset/base/327588

Log:
  MFC r327497, r327498: fix memory disclosure in hpt* ioctls
  
  r327497: hpt27xx: plug info leak in hpt_ioctl
  
  The hpt27xx ioctl handler allocates a buffer without M_ZERO and calls
  hpt_do_ioctl(), which might not overwrite the entire buffer.
  
  Also zero bytesReturned in case it is not written by hpt_do_ioctl().
  
  The hpt27xx device has permissions only for root so this is not urgent,
  and the fix can be MFCd and considered for a future EN.
  
  Reported by:  Ilja van Sprundel <ivansprundel at ioactive.com>
  Submitted by: Domagoj Stolfa <domagoj.stolfa at gmail.com> (M_ZERO)
  
  r327498: hpt{nr,rr}: plug info leak in hpt_ioctl
  
  The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls
  hpt_do_ioctl(), which might not overwrite the entire buffer.
  
  Also zero bytesReturned in case it is not written by hpt_do_ioctl().
  
  The hpt27{nr,rr} device has permissions only for root so this is not urgent,
  and the fix can be MFCd and considered for a future EN.
  
  The same issue was reported in the hpt27xx driver by Ilja Van Sprundel.
  
  Security:	memory disclosure in root-only ioctls
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
  stable/11/sys/dev/hptnr/hptnr_osm_bsd.c
  stable/11/sys/dev/hptrr/hptrr_osm_bsd.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
==============================================================================

--- stable/11/sys/dev/hpt27xx/hpt27xx_osm_bsd.c	Fri Jan  5 11:46:45 2018	(r327587)
+++ stable/11/sys/dev/hpt27xx/hpt27xx_osm_bsd.c	Fri Jan  5 16:04:56 2018	(r327588)
@@ -1402,7 +1402,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
 	PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
 	IOCTL_ARG ioctl_args;
-	HPT_U32 bytesReturned;
+	HPT_U32 bytesReturned = 0;
 
 	switch (cmd){
 	case HPT_DO_IOCONTROL:
@@ -1432,7 +1432,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 		}
 	
 		if (ioctl_args.nOutBufferSize) {
-			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
 			if (!ioctl_args.lpOutBuffer)
 				goto invalid;
 		}

Modified: stable/11/sys/dev/hptnr/hptnr_osm_bsd.c
==============================================================================
--- stable/11/sys/dev/hptnr/hptnr_osm_bsd.c	Fri Jan  5 11:46:45 2018	(r327587)
+++ stable/11/sys/dev/hptnr/hptnr_osm_bsd.c	Fri Jan  5 16:04:56 2018	(r327588)
@@ -1584,7 +1584,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
 	PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
 	IOCTL_ARG ioctl_args;
-	HPT_U32 bytesReturned;
+	HPT_U32 bytesReturned = 0;
 
 	switch (cmd){
 	case HPT_DO_IOCONTROL:
@@ -1614,7 +1614,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 		}
 	
 		if (ioctl_args.nOutBufferSize) {
-			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
 			if (!ioctl_args.lpOutBuffer)
 				goto invalid;
 		}

Modified: stable/11/sys/dev/hptrr/hptrr_osm_bsd.c
==============================================================================
--- stable/11/sys/dev/hptrr/hptrr_osm_bsd.c	Fri Jan  5 11:46:45 2018	(r327587)
+++ stable/11/sys/dev/hptrr/hptrr_osm_bsd.c	Fri Jan  5 16:04:56 2018	(r327588)
@@ -1231,7 +1231,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
 	PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
 	IOCTL_ARG ioctl_args;
-	HPT_U32 bytesReturned;
+	HPT_U32 bytesReturned = 0;
 
 	switch (cmd){
 	case HPT_DO_IOCONTROL:
@@ -1261,7 +1261,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 		}
 	
 		if (ioctl_args.nOutBufferSize) {
-			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
 			if (!ioctl_args.lpOutBuffer)
 				goto invalid;
 		}
