Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 Jan 2018 16:04:56 +0000 (UTC)
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r327588 - in stable/11/sys/dev: hpt27xx hptnr hptrr
Message-ID:  <201801051604.w05G4uRi058124@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: emaste
Date: Fri Jan  5 16:04:56 2018
New Revision: 327588
URL: https://svnweb.freebsd.org/changeset/base/327588

Log:
  MFC r327497, r327498: fix memory disclosure in hpt* ioctls
  
  r327497: hpt27xx: plug info leak in hpt_ioctl
  
  The hpt27xx ioctl handler allocates a buffer without M_ZERO and calls
  hpt_do_ioctl(), which might not overwrite the entire buffer.
  
  Also zero bytesReturned in case it is not written by hpt_do_ioctl().
  
  The hpt27xx device has permissions only for root so this is not urgent,
  and the fix can be MFCd and considered for a future EN.
  
  Reported by:  Ilja van Sprundel <ivansprundel@ioactive.com>
  Submitted by: Domagoj Stolfa <domagoj.stolfa@gmail.com> (M_ZERO)
  
  r327498: hpt{nr,rr}: plug info leak in hpt_ioctl
  
  The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls
  hpt_do_ioctl(), which might not overwrite the entire buffer.
  
  Also zero bytesReturned in case it is not written by hpt_do_ioctl().
  
  The hpt27{nr,rr} device has permissions only for root so this is not urgent,
  and the fix can be MFCd and considered for a future EN.
  
  The same issue was reported in the hpt27xx driver by Ilja Van Sprundel.
  
  Security:	memory disclosure in root-only ioctls
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
  stable/11/sys/dev/hptnr/hptnr_osm_bsd.c
  stable/11/sys/dev/hptrr/hptrr_osm_bsd.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/hpt27xx/hpt27xx_osm_bsd.c
==============================================================================
--- stable/11/sys/dev/hpt27xx/hpt27xx_osm_bsd.c	Fri Jan  5 11:46:45 2018	(r327587)
+++ stable/11/sys/dev/hpt27xx/hpt27xx_osm_bsd.c	Fri Jan  5 16:04:56 2018	(r327588)
@@ -1402,7 +1402,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
 	PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
 	IOCTL_ARG ioctl_args;
-	HPT_U32 bytesReturned;
+	HPT_U32 bytesReturned = 0;
 
 	switch (cmd){
 	case HPT_DO_IOCONTROL:
@@ -1432,7 +1432,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 		}
 	
 		if (ioctl_args.nOutBufferSize) {
-			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
 			if (!ioctl_args.lpOutBuffer)
 				goto invalid;
 		}

Modified: stable/11/sys/dev/hptnr/hptnr_osm_bsd.c
==============================================================================
--- stable/11/sys/dev/hptnr/hptnr_osm_bsd.c	Fri Jan  5 11:46:45 2018	(r327587)
+++ stable/11/sys/dev/hptnr/hptnr_osm_bsd.c	Fri Jan  5 16:04:56 2018	(r327588)
@@ -1584,7 +1584,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
 	PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
 	IOCTL_ARG ioctl_args;
-	HPT_U32 bytesReturned;
+	HPT_U32 bytesReturned = 0;
 
 	switch (cmd){
 	case HPT_DO_IOCONTROL:
@@ -1614,7 +1614,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 		}
 	
 		if (ioctl_args.nOutBufferSize) {
-			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
 			if (!ioctl_args.lpOutBuffer)
 				goto invalid;
 		}

Modified: stable/11/sys/dev/hptrr/hptrr_osm_bsd.c
==============================================================================
--- stable/11/sys/dev/hptrr/hptrr_osm_bsd.c	Fri Jan  5 11:46:45 2018	(r327587)
+++ stable/11/sys/dev/hptrr/hptrr_osm_bsd.c	Fri Jan  5 16:04:56 2018	(r327588)
@@ -1231,7 +1231,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 {
 	PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
 	IOCTL_ARG ioctl_args;
-	HPT_U32 bytesReturned;
+	HPT_U32 bytesReturned = 0;
 
 	switch (cmd){
 	case HPT_DO_IOCONTROL:
@@ -1261,7 +1261,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, cad
 		}
 	
 		if (ioctl_args.nOutBufferSize) {
-			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
+			ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
 			if (!ioctl_args.lpOutBuffer)
 				goto invalid;
 		}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801051604.w05G4uRi058124>