From 9d2807bdf72c932cabb0bf577328a5ba0eff42af Mon Sep 17 00:00:00 2001 From: gordon Date: Tue, 8 May 2018 17:14:54 +0000 Subject: Fix multiple small kernel memory disclosures. [EN-18:05.mem] Approved by: so Security: CVE-2018-6920 Security: CVE-2018-6921 Security: FreeBSD-EN-18:05.mem --- sys/compat/linux/linux_ioctl.c | 2 ++ sys/compat/linux/linux_ipc.c | 10 ++++++++++ sys/dev/ath/if_ath_btcoex.c | 3 ++- sys/dev/ath/if_ath_ioctl.c | 2 +- sys/dev/ath/if_ath_lna_div.c | 3 ++- sys/dev/ath/if_ath_spectral.c | 3 ++- sys/netinet/tcp_usrreq.c | 4 +++- 7 files changed, 22 insertions(+), 5 deletions(-) diff --git a/sys/compat/linux/linux_ioctl.c b/sys/compat/linux/linux_ioctl.c index b77db6c..5c30c19 100644 --- a/sys/compat/linux/linux_ioctl.c +++ b/sys/compat/linux/linux_ioctl.c @@ -253,6 +253,7 @@ linux_ioctl_hdio(struct thread *td, struct linux_ioctl_args *args) } else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) { struct linux_hd_big_geometry hdbg; + memset(&hdbg, 0, sizeof(hdbg)); hdbg.cylinders = fwcylinders; hdbg.heads = fwheads; hdbg.sectors = fwsectors; @@ -2477,6 +2478,7 @@ linux_ioctl_socket(struct thread *td, struct linux_ioctl_args *args) printf("%s(): ioctl %d on %.*s\n", __func__, args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname); #endif + memset(ifname, 0, sizeof(ifname)); ifp = ifname_linux_to_bsd(td, lifname, ifname); if (ifp == NULL) return (EINVAL); diff --git a/sys/compat/linux/linux_ipc.c b/sys/compat/linux/linux_ipc.c index 9fa1fed..cd01c41 100644 --- a/sys/compat/linux/linux_ipc.c +++ b/sys/compat/linux/linux_ipc.c @@ -548,6 +548,9 @@ linux_semctl(struct thread *td, struct linux_semctl_args *args) register_t rval; int cmd, error; + memset(&linux_seminfo, 0, sizeof(linux_seminfo)); + memset(&linux_semid64, 0, sizeof(linux_semid64)); + switch (args->cmd & ~LINUX_IPC_64) { case LINUX_IPC_RMID: cmd = IPC_RMID; @@ -702,12 +705,15 @@ linux_msgctl(struct thread *td, struct linux_msgctl_args *args) struct l_msqid64_ds linux_msqid64; struct msqid_ds bsd_msqid; + memset(&linux_msqid64, 0, sizeof(linux_msqid64)); + bsd_cmd = args->cmd & ~LINUX_IPC_64; switch (bsd_cmd) { case LINUX_IPC_INFO: case LINUX_MSG_INFO: { struct l_msginfo linux_msginfo; + memset(&linux_msginfo, 0, sizeof(linux_msginfo)); /* * XXX MSG_INFO uses the same data structure but returns different * dynamic counters in msgpool, msgmap, and msgtql fields. @@ -833,6 +839,10 @@ linux_shmctl(struct thread *td, struct linux_shmctl_args *args) struct shmid_ds bsd_shmid; int error; + memset(&linux_shm_info, 0, sizeof(linux_shm_info)); + memset(&linux_shmid64, 0, sizeof(linux_shmid64)); + memset(&linux_shminfo64, 0, sizeof(linux_shminfo64)); + switch (args->cmd & ~LINUX_IPC_64) { case LINUX_IPC_INFO: { diff --git a/sys/dev/ath/if_ath_btcoex.c b/sys/dev/ath/if_ath_btcoex.c index f071fc4..002483a 100644 --- a/sys/dev/ath/if_ath_btcoex.c +++ b/sys/dev/ath/if_ath_btcoex.c @@ -457,7 +457,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag *ad) * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -466,6 +466,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag *ad) switch (id) { default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize; diff --git a/sys/dev/ath/if_ath_ioctl.c b/sys/dev/ath/if_ath_ioctl.c index 1128c18..73c1ca2 100644 --- a/sys/dev/ath/if_ath_ioctl.c +++ b/sys/dev/ath/if_ath_ioctl.c @@ -197,7 +197,7 @@ ath_ioctl_diag(struct ath_softc *sc, struct ath_diag *ad) * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; diff --git a/sys/dev/ath/if_ath_lna_div.c b/sys/dev/ath/if_ath_lna_div.c index 5c102fb..ec85924 100644 --- a/sys/dev/ath/if_ath_lna_div.c +++ b/sys/dev/ath/if_ath_lna_div.c @@ -187,7 +187,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_diag *ad) * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -196,6 +196,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_diag *ad) switch (id) { default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize; diff --git a/sys/dev/ath/if_ath_spectral.c b/sys/dev/ath/if_ath_spectral.c index e4afdae..d8f9e8a 100644 --- a/sys/dev/ath/if_ath_spectral.c +++ b/sys/dev/ath/if_ath_spectral.c @@ -212,7 +212,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_diag *ad) * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -275,6 +275,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_diag *ad) break; default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize; diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 6a7bf00..64f8562 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -1495,7 +1495,9 @@ tcp_ctloutput(struct socket *so, struct sockopt *sopt) return (error); } else if ((sopt->sopt_dir == SOPT_GET) && (sopt->sopt_name == TCP_FUNCTION_BLK)) { - strcpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name); + strncpy(fsn.function_set_name, tp->t_fb->tfb_tcp_block_name, + TCP_FUNCTION_NAME_LEN_MAX); + fsn.function_set_name[TCP_FUNCTION_NAME_LEN_MAX - 1] = '\0'; fsn.pcbcnt = tp->t_fb->tfb_refcnt; INP_WUNLOCK(inp); error = sooptcopyout(sopt, &fsn, sizeof fsn); -- cgit v1.1