svn commit: r332303 - stable/11/sys/dev/ath

Ed Maste emaste at FreeBSD.org
Sun Apr 8 20:50:18 UTC 2018 

Author: emaste
Date: Sun Apr  8 20:50:16 2018
New Revision: 332303
URL: https://svnweb.freebsd.org/changeset/base/332303

Log:
  MFC ath(4) potential memory disclosure fixes
  
  [1] r327499: ath: fix memory disclosure from ath_btcoex_ioctl
  
  The ath_btcoex_ioctl handler allocated a buffer without M_ZERO and
  returned it to userland without writing to it.
  
  The device has permissions only for root so this is not urgent, and the
  fix can be MFCd and considered for a future EN.
  
  [2] r327500: ath: fix possible memory disclosures in ioctl handlers
  
  Apply the fix from r327499 to additional ioctl handlers.
  
  [3] r327529: ath: fix possible memory disclosure in ioctl handler
  
  Submitted by:	Domagoj Stolfa <domagoj.stolfa at gmail.com> [1,3]
  Reported by:	Ilja van Sprundel <ivansprundel at ioactive.com> [1,2]
  Reviewed by:	adrian [1]
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/sys/dev/ath/if_ath_btcoex.c
  stable/11/sys/dev/ath/if_ath_ioctl.c
  stable/11/sys/dev/ath/if_ath_lna_div.c
  stable/11/sys/dev/ath/if_ath_spectral.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/ath/if_ath_btcoex.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_btcoex.c	Sun Apr  8 20:30:52 2018	(r332302)
+++ stable/11/sys/dev/ath/if_ath_btcoex.c	Sun Apr  8 20:50:16 2018	(r332303)
@@ -457,7 +457,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -466,6 +466,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

Modified: stable/11/sys/dev/ath/if_ath_ioctl.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_ioctl.c	Sun Apr  8 20:30:52 2018	(r332302)
+++ stable/11/sys/dev/ath/if_ath_ioctl.c	Sun Apr  8 20:50:16 2018	(r332303)
@@ -197,7 +197,7 @@ ath_ioctl_diag(struct ath_softc *sc, struct ath_diag *
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;

Modified: stable/11/sys/dev/ath/if_ath_lna_div.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_lna_div.c	Sun Apr  8 20:30:52 2018	(r332302)
+++ stable/11/sys/dev/ath/if_ath_lna_div.c	Sun Apr  8 20:50:16 2018	(r332303)
@@ -187,7 +187,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -196,6 +196,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

Modified: stable/11/sys/dev/ath/if_ath_spectral.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_spectral.c	Sun Apr  8 20:30:52 2018	(r332302)
+++ stable/11/sys/dev/ath/if_ath_spectral.c	Sun Apr  8 20:50:16 2018	(r332303)
@@ -212,7 +212,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -275,6 +275,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
 		break;
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

More information about the svn-src-stable-11 mailing list