Author: gordon
Date: Wed Apr 4 05:43:03 2018
New Revision: 331987
URL: https://svnweb.freebsd.org/changeset/base/331987
Log:
Fix multiple small kernel memory disclosures. [EN-18:04.mem]
Reported by: Ilja van Sprundel
Approved by: so
Security: CVE-2018-6919
Security: FreeBSD-EN-18:04.mem
Modified:
releng/10.3/sys/compat/svr4/svr4_misc.c
releng/10.3/sys/dev/drm/drm_bufs.c
releng/10.3/sys/dev/drm/drm_irq.c
releng/10.3/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
releng/10.3/sys/dev/hptnr/hptnr_osm_bsd.c
releng/10.3/sys/dev/hptrr/hptrr_osm_bsd.c
releng/10.3/sys/i386/ibcs2/ibcs2_misc.c
releng/10.4/sys/compat/svr4/svr4_misc.c
releng/10.4/sys/dev/drm/drm_bufs.c
releng/10.4/sys/dev/drm/drm_irq.c
releng/10.4/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
releng/10.4/sys/dev/hptnr/hptnr_osm_bsd.c
releng/10.4/sys/dev/hptrr/hptrr_osm_bsd.c
releng/10.4/sys/i386/ibcs2/ibcs2_misc.c
releng/11.1/sys/compat/svr4/svr4_misc.c
releng/11.1/sys/dev/drm/drm_bufs.c
releng/11.1/sys/dev/drm/drm_irq.c
releng/11.1/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
releng/11.1/sys/dev/hptnr/hptnr_osm_bsd.c
releng/11.1/sys/dev/hptrr/hptrr_osm_bsd.c
releng/11.1/sys/i386/ibcs2/ibcs2_misc.c
Modified: releng/10.3/sys/compat/svr4/svr4_misc.c
==============================================================================
--- releng/10.3/sys/compat/svr4/svr4_misc.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.3/sys/compat/svr4/svr4_misc.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -260,6 +260,7 @@ svr4_sys_getdents64(td, uap)
u_long *cookies = NULL, *cookiep;
int ncookies;
+ memset(&svr4_dirent, 0, sizeof(svr4_dirent));
DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
uap->fd, uap->nbytes));
error = getvnode(td->td_proc->p_fd, uap->fd,
Modified: releng/10.3/sys/dev/drm/drm_bufs.c
==============================================================================
--- releng/10.3/sys/dev/drm/drm_bufs.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.3/sys/dev/drm/drm_bufs.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, s
if (dma->bufs[i].buf_count) {
struct drm_buf_desc from;
+ memset(&from, 0, sizeof(from));
from.count = dma->bufs[i].buf_count;
from.size = dma->bufs[i].buf_size;
from.low_mark = dma->bufs[i].freelist.low_mark;
Modified: releng/10.3/sys/dev/drm/drm_irq.c
==============================================================================
--- releng/10.3/sys/dev/drm/drm_irq.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.3/sys/dev/drm/drm_irq.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -357,7 +357,7 @@ int drm_modeset_ctl(struct drm_device *dev, void *data
goto out;
crtc = modeset->crtc;
- if (crtc >= dev->num_crtcs) {
+ if (crtc < 0 || crtc >= dev->num_crtcs) {
ret = EINVAL;
goto out;
}
Modified: releng/10.3/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
==============================================================================
--- releng/10.3/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Wed Apr 4 05:40:48
2018 (r331986)
+++ releng/10.3/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Wed Apr 4 05:43:03
2018 (r331987)
@@ -1402,7 +1402,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1432,7 +1432,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/10.3/sys/dev/hptnr/hptnr_osm_bsd.c
==============================================================================
--- releng/10.3/sys/dev/hptnr/hptnr_osm_bsd.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.3/sys/dev/hptnr/hptnr_osm_bsd.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -1584,7 +1584,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1614,7 +1614,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/10.3/sys/dev/hptrr/hptrr_osm_bsd.c
==============================================================================
--- releng/10.3/sys/dev/hptrr/hptrr_osm_bsd.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.3/sys/dev/hptrr/hptrr_osm_bsd.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -1231,7 +1231,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1261,7 +1261,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/10.3/sys/i386/ibcs2/ibcs2_misc.c
==============================================================================
--- releng/10.3/sys/i386/ibcs2/ibcs2_misc.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.3/sys/i386/ibcs2/ibcs2_misc.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -352,6 +352,7 @@ ibcs2_getdents(td, uap)
#define BSD_DIRENT(cp) ((struct dirent *)(cp))
#define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short))
+ memset(&idb, 0, sizeof(idb));
error = getvnode(td->td_proc->p_fd, uap->fd,
cap_rights_init(&rights, CAP_READ), &fp);
if (error != 0)
Modified: releng/10.4/sys/compat/svr4/svr4_misc.c
==============================================================================
--- releng/10.4/sys/compat/svr4/svr4_misc.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.4/sys/compat/svr4/svr4_misc.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -260,6 +260,7 @@ svr4_sys_getdents64(td, uap)
u_long *cookies = NULL, *cookiep;
int ncookies;
+ memset(&svr4_dirent, 0, sizeof(svr4_dirent));
DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
uap->fd, uap->nbytes));
error = getvnode(td->td_proc->p_fd, uap->fd,
Modified: releng/10.4/sys/dev/drm/drm_bufs.c
==============================================================================
--- releng/10.4/sys/dev/drm/drm_bufs.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.4/sys/dev/drm/drm_bufs.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, s
if (dma->bufs[i].buf_count) {
struct drm_buf_desc from;
+ memset(&from, 0, sizeof(from));
from.count = dma->bufs[i].buf_count;
from.size = dma->bufs[i].buf_size;
from.low_mark = dma->bufs[i].freelist.low_mark;
Modified: releng/10.4/sys/dev/drm/drm_irq.c
==============================================================================
--- releng/10.4/sys/dev/drm/drm_irq.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.4/sys/dev/drm/drm_irq.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -357,7 +357,7 @@ int drm_modeset_ctl(struct drm_device *dev, void *data
goto out;
crtc = modeset->crtc;
- if (crtc >= dev->num_crtcs) {
+ if (crtc < 0 || crtc >= dev->num_crtcs) {
ret = EINVAL;
goto out;
}
Modified: releng/10.4/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
==============================================================================
--- releng/10.4/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Wed Apr 4 05:40:48
2018 (r331986)
+++ releng/10.4/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Wed Apr 4 05:43:03
2018 (r331987)
@@ -1402,7 +1402,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1432,7 +1432,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/10.4/sys/dev/hptnr/hptnr_osm_bsd.c
==============================================================================
--- releng/10.4/sys/dev/hptnr/hptnr_osm_bsd.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.4/sys/dev/hptnr/hptnr_osm_bsd.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -1584,7 +1584,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1614,7 +1614,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/10.4/sys/dev/hptrr/hptrr_osm_bsd.c
==============================================================================
--- releng/10.4/sys/dev/hptrr/hptrr_osm_bsd.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.4/sys/dev/hptrr/hptrr_osm_bsd.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -1231,7 +1231,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1261,7 +1261,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/10.4/sys/i386/ibcs2/ibcs2_misc.c
==============================================================================
--- releng/10.4/sys/i386/ibcs2/ibcs2_misc.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/10.4/sys/i386/ibcs2/ibcs2_misc.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -352,6 +352,7 @@ ibcs2_getdents(td, uap)
#define BSD_DIRENT(cp) ((struct dirent *)(cp))
#define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short))
+ memset(&idb, 0, sizeof(idb));
error = getvnode(td->td_proc->p_fd, uap->fd,
cap_rights_init(&rights, CAP_READ), &fp);
if (error != 0)
Modified: releng/11.1/sys/compat/svr4/svr4_misc.c
==============================================================================
--- releng/11.1/sys/compat/svr4/svr4_misc.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/11.1/sys/compat/svr4/svr4_misc.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -259,6 +259,7 @@ svr4_sys_getdents64(td, uap)
u_long *cookies = NULL, *cookiep;
int ncookies;
+ memset(&svr4_dirent, 0, sizeof(svr4_dirent));
DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
uap->fd, uap->nbytes));
error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
Modified: releng/11.1/sys/dev/drm/drm_bufs.c
==============================================================================
--- releng/11.1/sys/dev/drm/drm_bufs.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/11.1/sys/dev/drm/drm_bufs.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, s
if (dma->bufs[i].buf_count) {
struct drm_buf_desc from;
+ memset(&from, 0, sizeof(from));
from.count = dma->bufs[i].buf_count;
from.size = dma->bufs[i].buf_size;
from.low_mark = dma->bufs[i].freelist.low_mark;
Modified: releng/11.1/sys/dev/drm/drm_irq.c
==============================================================================
--- releng/11.1/sys/dev/drm/drm_irq.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/11.1/sys/dev/drm/drm_irq.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -351,7 +351,7 @@ int drm_modeset_ctl(struct drm_device *dev, void *data
goto out;
crtc = modeset->crtc;
- if (crtc >= dev->num_crtcs) {
+ if (crtc < 0 || crtc >= dev->num_crtcs) {
ret = EINVAL;
goto out;
}
Modified: releng/11.1/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
==============================================================================
--- releng/11.1/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Wed Apr 4 05:40:48
2018 (r331986)
+++ releng/11.1/sys/dev/hpt27xx/hpt27xx_osm_bsd.c Wed Apr 4 05:43:03
2018 (r331987)
@@ -1402,7 +1402,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1432,7 +1432,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/11.1/sys/dev/hptnr/hptnr_osm_bsd.c
==============================================================================
--- releng/11.1/sys/dev/hptnr/hptnr_osm_bsd.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/11.1/sys/dev/hptnr/hptnr_osm_bsd.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -1584,7 +1584,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1614,7 +1614,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/11.1/sys/dev/hptrr/hptrr_osm_bsd.c
==============================================================================
--- releng/11.1/sys/dev/hptrr/hptrr_osm_bsd.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/11.1/sys/dev/hptrr/hptrr_osm_bsd.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -1231,7 +1231,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
- HPT_U32 bytesReturned;
+ HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@@ -1261,7 +1261,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
}
if (ioctl_args.nOutBufferSize) {
- ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+ ioctl_args.lpOutBuffer =
malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}
Modified: releng/11.1/sys/i386/ibcs2/ibcs2_misc.c
==============================================================================
--- releng/11.1/sys/i386/ibcs2/ibcs2_misc.c Wed Apr 4 05:40:48 2018
(r331986)
+++ releng/11.1/sys/i386/ibcs2/ibcs2_misc.c Wed Apr 4 05:43:03 2018
(r331987)
@@ -342,6 +342,7 @@ ibcs2_getdents(td, uap)
#define BSD_DIRENT(cp) ((struct dirent *)(cp))
#define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short))
+ memset(&idb, 0, sizeof(idb));
error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
if (error != 0)
return (error);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
