Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 Apr 2018 12:53:16 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r332320 - stable/10/sys/dev/ath
Message-ID:  <201804091253.w39CrGZa013963@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: emaste
Date: Mon Apr  9 12:53:15 2018
New Revision: 332320
URL: https://svnweb.freebsd.org/changeset/base/332320

Log:
  MFC ath(4) potential memory disclosure fixes
  
  [1] r327499: ath: fix memory disclosure from ath_btcoex_ioctl
  
  The ath_btcoex_ioctl handler allocated a buffer without M_ZERO and
  returned it to userland without writing to it.
  
  The device has permissions only for root so this is not urgent, and the
  fix can be MFCd and considered for a future EN.
  
  [2] r327500: ath: fix possible memory disclosures in ioctl handlers
  
  Apply the fix from r327499 to additional ioctl handlers.
  
  Note: related fix in r327529 does not apply directly to stable/10 and
  will be addressed in a followup commit.
  
  Submitted by:	Domagoj Stolfa <domagoj.stolfa@gmail.com> [1]
  Reported by:	Ilja van Sprundel <ivansprundel@ioactive.com> [1,2]
  Reviewed by:	adrian [1]
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/10/sys/dev/ath/if_ath_btcoex.c
  stable/10/sys/dev/ath/if_ath_lna_div.c
  stable/10/sys/dev/ath/if_ath_spectral.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/ath/if_ath_btcoex.c
==============================================================================
--- stable/10/sys/dev/ath/if_ath_btcoex.c	Mon Apr  9 09:24:26 2018	(r332319)
+++ stable/10/sys/dev/ath/if_ath_btcoex.c	Mon Apr  9 12:53:15 2018	(r332320)
@@ -321,7 +321,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -330,6 +330,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

Modified: stable/10/sys/dev/ath/if_ath_lna_div.c
==============================================================================
--- stable/10/sys/dev/ath/if_ath_lna_div.c	Mon Apr  9 09:24:26 2018	(r332319)
+++ stable/10/sys/dev/ath/if_ath_lna_div.c	Mon Apr  9 12:53:15 2018	(r332320)
@@ -185,7 +185,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -194,6 +194,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

Modified: stable/10/sys/dev/ath/if_ath_spectral.c
==============================================================================
--- stable/10/sys/dev/ath/if_ath_spectral.c	Mon Apr  9 09:24:26 2018	(r332319)
+++ stable/10/sys/dev/ath/if_ath_spectral.c	Mon Apr  9 12:53:15 2018	(r332320)
@@ -210,7 +210,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -273,6 +273,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
 		break;
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804091253.w39CrGZa013963>