From owner-svn-src-stable-10@freebsd.org Wed Apr 5 21:08:27 2017 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9AF91D30459; Wed, 5 Apr 2017 21:08:27 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6C8A7394; Wed, 5 Apr 2017 21:08:27 +0000 (UTC) (envelope-from brooks@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v35L8QFZ070802; Wed, 5 Apr 2017 21:08:26 GMT (envelope-from brooks@FreeBSD.org) Received: (from brooks@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v35L8QYT070801; Wed, 5 Apr 2017 21:08:26 GMT (envelope-from brooks@FreeBSD.org) Message-Id: <201704052108.v35L8QYT070801@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: brooks set sender to brooks@FreeBSD.org using -f From: Brooks Davis Date: Wed, 5 Apr 2017 21:08:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r316543 - stable/10/sys/kern X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 21:08:27 -0000 Author: brooks Date: Wed Apr 5 21:08:26 2017 New Revision: 316543 URL: https://svnweb.freebsd.org/changeset/base/316543 Log: MFC r316497: Correct a kernel stack leak in 32-bit compat when vfc_name is short. Don't zero unused pointer members again. Per discussion with secteam we are not issuing an advisory for this issue as we have no current evidence it leaks exploitable information. Reviewed by: rwatson, glebius, delphij Sponsored by: DARPA, AFRL Modified: stable/10/sys/kern/vfs_subr.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/kern/vfs_subr.c ============================================================================== --- stable/10/sys/kern/vfs_subr.c Wed Apr 5 20:11:05 2017 (r316542) +++ stable/10/sys/kern/vfs_subr.c Wed Apr 5 21:08:26 2017 (r316543) @@ -3357,12 +3357,11 @@ vfsconf2x32(struct sysctl_req *req, stru { struct xvfsconf32 xvfsp; + bzero(&xvfsp, sizeof(xvfsp)); strcpy(xvfsp.vfc_name, vfsp->vfc_name); xvfsp.vfc_typenum = vfsp->vfc_typenum; xvfsp.vfc_refcount = vfsp->vfc_refcount; xvfsp.vfc_flags = vfsp->vfc_flags; - xvfsp.vfc_vfsops = 0; - xvfsp.vfc_next = 0; return (SYSCTL_OUT(req, &xvfsp, sizeof(xvfsp))); } #endif