svn commit: r327498 - in head/sys/dev: hptnr hptrr

Tue, 02 Jan 2018 10:31:46 -0800 

Author: emaste
Date: Tue Jan  2 18:31:32 2018
New Revision: 327498
URL: https://svnweb.freebsd.org/changeset/base/327498

Log:
  hpt{nr,rr}: plug info leak in hpt_ioctl
  
  The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls
  hpt_do_ioctl(), which might not overwrite the entire buffer.
  
  Also zero bytesReturned in case it is not written by hpt_do_ioctl().
  
  The hpt27{nr,rr} device has permissions only for root so this is not urgent,
  and the fix can be MFCd and considered for a future EN.
  
  The same issue was reported in the hpt27xx driver by Ilja Van Sprundel.
  
  Reviewed by:  jhb, kib
  MFC after:    3 days
  Sponsored by: The FreeBSD Foundation

Modified:
  head/sys/dev/hptnr/hptnr_osm_bsd.c
  head/sys/dev/hptrr/hptrr_osm_bsd.c

Modified: head/sys/dev/hptnr/hptnr_osm_bsd.c
==============================================================================
--- head/sys/dev/hptnr/hptnr_osm_bsd.c  Tue Jan  2 18:29:44 2018        
(r327497)
+++ head/sys/dev/hptnr/hptnr_osm_bsd.c  Tue Jan  2 18:31:32 2018        
(r327498)
@@ -1586,7 +1586,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
        PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
        IOCTL_ARG ioctl_args;
-       HPT_U32 bytesReturned;
+       HPT_U32 bytesReturned = 0;
 
        switch (cmd){
        case HPT_DO_IOCONTROL:
@@ -1616,7 +1616,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
                }
        
                if (ioctl_args.nOutBufferSize) {
-                       ioctl_args.lpOutBuffer = 
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+                       ioctl_args.lpOutBuffer = 
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
                        if (!ioctl_args.lpOutBuffer)
                                goto invalid;
                }

Modified: head/sys/dev/hptrr/hptrr_osm_bsd.c
==============================================================================
--- head/sys/dev/hptrr/hptrr_osm_bsd.c  Tue Jan  2 18:29:44 2018        
(r327497)
+++ head/sys/dev/hptrr/hptrr_osm_bsd.c  Tue Jan  2 18:31:32 2018        
(r327498)
@@ -1233,7 +1233,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
        PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
        IOCTL_ARG ioctl_args;
-       HPT_U32 bytesReturned;
+       HPT_U32 bytesReturned = 0;
 
        switch (cmd){
        case HPT_DO_IOCONTROL:
@@ -1263,7 +1263,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
                }
        
                if (ioctl_args.nOutBufferSize) {
-                       ioctl_args.lpOutBuffer = 
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+                       ioctl_args.lpOutBuffer = 
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
                        if (!ioctl_args.lpOutBuffer)
                                goto invalid;
                }
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"

Reply via email to