diff options
author | Ed Maste <emaste@FreeBSD.org> | 2018-01-02 18:31:32 +0000 |
---|---|---|
committer | Ed Maste <emaste@FreeBSD.org> | 2018-01-02 18:31:32 +0000 |
commit | 5d8501f487e973d6ab6a368360c9dcb101fd08e9 (patch) | |
tree | 9ca11c027de17c7d1db890c166c2864cc92589ab /sys/dev/hptnr | |
parent | 51cbc81510a577cefcabcab755894d997ad7f895 (diff) | |
download | src-5d8501f487e973d6ab6a368360c9dcb101fd08e9.tar.gz src-5d8501f487e973d6ab6a368360c9dcb101fd08e9.zip |
hpt{nr,rr}: plug info leak in hpt_ioctl
The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls
hpt_do_ioctl(), which might not overwrite the entire buffer.
Also zero bytesReturned in case it is not written by hpt_do_ioctl().
The hpt27{nr,rr} device has permissions only for root so this is not urgent,
and the fix can be MFCd and considered for a future EN.
The same issue was reported in the hpt27xx driver by Ilja Van Sprundel.
Reviewed by: jhb, kib
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Notes
Notes:
svn path=/head/; revision=327498
Diffstat (limited to 'sys/dev/hptnr')
-rw-r--r-- | sys/dev/hptnr/hptnr_osm_bsd.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/hptnr/hptnr_osm_bsd.c b/sys/dev/hptnr/hptnr_osm_bsd.c index 0fd09ee93a6e..8afd3e22d2e8 100644 --- a/sys/dev/hptnr/hptnr_osm_bsd.c +++ b/sys/dev/hptnr/hptnr_osm_bsd.c @@ -1586,7 +1586,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru { PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data; IOCTL_ARG ioctl_args; - HPT_U32 bytesReturned; + HPT_U32 bytesReturned = 0; switch (cmd){ case HPT_DO_IOCONTROL: @@ -1616,7 +1616,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru } if (ioctl_args.nOutBufferSize) { - ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK); + ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO); if (!ioctl_args.lpOutBuffer) goto invalid; } |