Author: emaste Date: Tue Jan 2 18:29:44 2018 New Revision: 327497 URL: https://svnweb.freebsd.org/changeset/base/327497
Log: hpt27xx: plug info leak in hpt_ioctl The hpt27xx ioctl handler allocates a buffer without M_ZERO and calls hpt_do_ioctl(), which might not overwrite the entire buffer. Also zero bytesReturned in case it is not written by hpt_do_ioctl(). The hpt27xx device has permissions only for root so this is not urgent, and the fix can be MFCd and considered for a future EN. Reported by: Ilja van Sprundel <[email protected]> Submitted by: Domagoj Stolfa <[email protected]> (M_ZERO) Reviewed by: jhb, kib MFC after: 3 days Security: info leak in root-only ioctl Sponsored by: The FreeBSD Foundation Modified: head/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Modified: head/sys/dev/hpt27xx/hpt27xx_osm_bsd.c ============================================================================== --- head/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Tue Jan 2 18:11:54 2018 (r327496) +++ head/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Tue Jan 2 18:29:44 2018 (r327497) @@ -1404,7 +1404,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad { PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data; IOCTL_ARG ioctl_args; - HPT_U32 bytesReturned; + HPT_U32 bytesReturned = 0; switch (cmd){ case HPT_DO_IOCONTROL: @@ -1434,7 +1434,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad } if (ioctl_args.nOutBufferSize) { - ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK); + ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO); if (!ioctl_args.lpOutBuffer) goto invalid; } _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
