svn commit: r331412 - stable/10/sys/dev/drm

[Ed Maste]

Author: emaste
Date: Fri Mar 23 02:38:31 2018
New Revision: 331412
URL: https://svnweb.freebsd.org/changeset/base/331412

Log:
  MFC r331333: Fix kernel memory disclosure in drm_infobufs
  
  drm_infobufs() has a structure on the stack, fills it out and copies it
  to userland.  There are 2 elements in the struct that are not filled out
  and left uninitialized.  This will leak uninitialized kernel stack data
  to userland.
  
  Submitted by:	Domagoj Stolfa <ds815 at cam.ac.uk>
  Reported by:	Ilja Van Sprundel <ivansprundel at ioactive.com>
  Security:	Kernel memory disclosure (798)

Modified:
  stable/10/sys/dev/drm/drm_bufs.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/dev/drm/drm_bufs.c
==============================================================================
--- stable/10/sys/dev/drm/drm_bufs.c	Fri Mar 23 02:37:08 2018	(r331411)
+++ stable/10/sys/dev/drm/drm_bufs.c	Fri Mar 23 02:38:31 2018	(r331412)
@@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, s
 			if (dma->bufs[i].buf_count) {
 				struct drm_buf_desc from;
 
+				memset(&from, 0, sizeof(from));
 				from.count = dma->bufs[i].buf_count;
 				from.size = dma->bufs[i].buf_size;
 				from.low_mark = dma->bufs[i].freelist.low_mark;