From owner-svn-src-all@freebsd.org Tue Jan 2 19:29:32 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2EC71EB4CCA; Tue, 2 Jan 2018 19:29:32 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ED6D86E9DF; Tue, 2 Jan 2018 19:29:31 +0000 (UTC) (envelope-from emaste@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w02JTVZK018834; Tue, 2 Jan 2018 19:29:31 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w02JTV1C018833; Tue, 2 Jan 2018 19:29:31 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201801021929.w02JTV1C018833@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 2 Jan 2018 19:29:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r327499 - head/sys/dev/ath X-SVN-Group: head X-SVN-Commit-Author: emaste X-SVN-Commit-Paths: head/sys/dev/ath X-SVN-Commit-Revision: 327499 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jan 2018 19:29:32 -0000 Author: emaste Date: Tue Jan 2 19:29:30 2018 New Revision: 327499 URL: https://svnweb.freebsd.org/changeset/base/327499 Log: ath: fix memory disclosure from ath_btcoex_ioctl The ath_btcoex_ioctl handler allocated a buffer without M_ZERO and returned it to userland without writing to it. The device has permissions only for root so this is not urgent, and the fix can be MFCd and considered for a future EN. Reported by: Ilja van Sprundel Submitted by: Domagoj Stolfa Reviewed by: adrian MFC after: 1 week Modified: head/sys/dev/ath/if_ath_btcoex.c Modified: head/sys/dev/ath/if_ath_btcoex.c ============================================================================== --- head/sys/dev/ath/if_ath_btcoex.c Tue Jan 2 18:31:32 2018 (r327498) +++ head/sys/dev/ath/if_ath_btcoex.c Tue Jan 2 19:29:30 2018 (r327499) @@ -459,7 +459,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag * pointer for us to use below in reclaiming the buffer; * may want to be more defensive. */ - outdata = malloc(outsize, M_TEMP, M_NOWAIT); + outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO); if (outdata == NULL) { error = ENOMEM; goto bad; @@ -468,6 +468,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag switch (id) { default: error = EINVAL; + goto bad; } if (outsize < ad->ad_out_size) ad->ad_out_size = outsize;