git: 5862c891bb7c - main - kern: zero out stack buffer after copying out random bits

The branch main has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=5862c891bb7c588aa00538d85eb26ffe77d3f709

commit 5862c891bb7c588aa00538d85eb26ffe77d3f709
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2024-07-15 20:17:47 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2024-07-15 20:17:47 +0000

    kern: zero out stack buffer after copying out random bits
    
    The kern.arandom sysctl handler uses an intermediate buffer on the stack
    to hold random data that it subsequently copies out to the sysctl
    request.  Err on the side of caution and zero out the stack buffer after
    we're done with it to avoid a potential entropy leak later on.
    
    Reviewed by:    cem, emaste, markj
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D45978
---
 sys/kern/kern_mib.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c
index 5724ed3f6932..fe6e49865682 100644
--- a/sys/kern/kern_mib.c
+++ b/sys/kern/kern_mib.c
@@ -182,10 +182,14 @@ sysctl_kern_arnd(SYSCTL_HANDLER_ARGS)
 {
 	char buf[256];
 	size_t len;
+	int error;
 
 	len = MIN(req->oldlen, sizeof(buf));
 	read_random(buf, len);
-	return (SYSCTL_OUT(req, buf, len));
+
+	error = SYSCTL_OUT(req, buf, len);
+	explicit_bzero(buf, len);
+	return (error);
 }
 
 SYSCTL_PROC(_kern, KERN_ARND, arandom,