svn commit: r332303 - stable/11/sys/dev/ath
Ed Maste
emaste at FreeBSD.org
Sun Apr 8 20:50:18 UTC 2018
Author: emaste
Date: Sun Apr 8 20:50:16 2018
New Revision: 332303
URL: https://svnweb.freebsd.org/changeset/base/332303
Log:
MFC ath(4) potential memory disclosure fixes
[1] r327499: ath: fix memory disclosure from ath_btcoex_ioctl
The ath_btcoex_ioctl handler allocated a buffer without M_ZERO and
returned it to userland without writing to it.
The device has permissions only for root so this is not urgent, and the
fix can be MFCd and considered for a future EN.
[2] r327500: ath: fix possible memory disclosures in ioctl handlers
Apply the fix from r327499 to additional ioctl handlers.
[3] r327529: ath: fix possible memory disclosure in ioctl handler
Submitted by: Domagoj Stolfa <domagoj.stolfa at gmail.com> [1,3]
Reported by: Ilja van Sprundel <ivansprundel at ioactive.com> [1,2]
Reviewed by: adrian [1]
Sponsored by: The FreeBSD Foundation
Modified:
stable/11/sys/dev/ath/if_ath_btcoex.c
stable/11/sys/dev/ath/if_ath_ioctl.c
stable/11/sys/dev/ath/if_ath_lna_div.c
stable/11/sys/dev/ath/if_ath_spectral.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/dev/ath/if_ath_btcoex.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_btcoex.c Sun Apr 8 20:30:52 2018 (r332302)
+++ stable/11/sys/dev/ath/if_ath_btcoex.c Sun Apr 8 20:50:16 2018 (r332303)
@@ -457,7 +457,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -466,6 +466,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
Modified: stable/11/sys/dev/ath/if_ath_ioctl.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_ioctl.c Sun Apr 8 20:30:52 2018 (r332302)
+++ stable/11/sys/dev/ath/if_ath_ioctl.c Sun Apr 8 20:50:16 2018 (r332303)
@@ -197,7 +197,7 @@ ath_ioctl_diag(struct ath_softc *sc, struct ath_diag *
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
Modified: stable/11/sys/dev/ath/if_ath_lna_div.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_lna_div.c Sun Apr 8 20:30:52 2018 (r332302)
+++ stable/11/sys/dev/ath/if_ath_lna_div.c Sun Apr 8 20:50:16 2018 (r332303)
@@ -187,7 +187,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -196,6 +196,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
switch (id) {
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
Modified: stable/11/sys/dev/ath/if_ath_spectral.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_spectral.c Sun Apr 8 20:30:52 2018 (r332302)
+++ stable/11/sys/dev/ath/if_ath_spectral.c Sun Apr 8 20:50:16 2018 (r332303)
@@ -212,7 +212,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
* pointer for us to use below in reclaiming the buffer;
* may want to be more defensive.
*/
- outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+ outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
if (outdata == NULL) {
error = ENOMEM;
goto bad;
@@ -275,6 +275,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
break;
default:
error = EINVAL;
+ goto bad;
}
if (outsize < ad->ad_out_size)
ad->ad_out_size = outsize;
More information about the svn-src-stable-11
mailing list