svn commit: r331411 - stable/11/sys/dev/drm

Fri Mar 23 02:37:09 UTC 2018

Author: emaste
Date: Fri Mar 23 02:37:08 2018
New Revision: 331411
URL: https://svnweb.freebsd.org/changeset/base/331411

Log:
  MFC r331333: Fix kernel memory disclosure in drm_infobufs
  
  drm_infobufs() has a structure on the stack, fills it out and copies it
  to userland.  There are 2 elements in the struct that are not filled out
  and left uninitialized.  This will leak uninitialized kernel stack data
  to userland.
  
  Submitted by:	Domagoj Stolfa <ds815 at cam.ac.uk>
  Reported by:	Ilja Van Sprundel <ivansprundel at ioactive.com>
  Security:	Kernel memory disclosure (798)

Modified:
  stable/11/sys/dev/drm/drm_bufs.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/drm/drm_bufs.c
==============================================================================

--- stable/11/sys/dev/drm/drm_bufs.c	Fri Mar 23 02:34:45 2018	(r331410)
+++ stable/11/sys/dev/drm/drm_bufs.c	Fri Mar 23 02:37:08 2018	(r331411)
@@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, s
 			if (dma->bufs[i].buf_count) {
 				struct drm_buf_desc from;
 
+				memset(&from, 0, sizeof(from));
 				from.count = dma->bufs[i].buf_count;
 				from.size = dma->bufs[i].buf_size;
 				from.low_mark = dma->bufs[i].freelist.low_mark;
