upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-09 08:43:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix multiple small kernel memory disclosures. [EN-18:04.mem]

Browse source 
Reported by:	Ilja van Sprundel
Approved by:	so
Security:	CVE-2018-6919
Security:	FreeBSD-EN-18:04.mem

(cherry picked from commit 104e4674c6)
This commit is contained in:
gordon 2018-04-04 05:43:03 +00:00 committed by Franco Fichtner
parent 31340666d4
commit e86703e307
7 changed files with 10 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
sys/compat/svr4/svr4_misc.c
View file

@ -259,6 +259,7 @@ svr4_sys_getdents64(td, uap)
u_long *cookies = NULL, *cookiep;
int ncookies;
memset(&svr4_dirent, 0, sizeof(svr4_dirent));
DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
uap->fd, uap->nbytes));
error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);

1
sys/dev/drm/drm_bufs.c
View file

@ -935,6 +935,7 @@ int drm_infobufs(struct drm_device *dev, void *data, struct drm_file *file_priv)
if (dma->bufs[i].buf_count) {
struct drm_buf_desc from;
memset(&from, 0, sizeof(from));
from.count = dma->bufs[i].buf_count;
from.size = dma->bufs[i].buf_size;
from.low_mark = dma->bufs[i].freelist.low_mark;

2
sys/dev/drm/drm_irq.c
View file

@ -351,7 +351,7 @@ int drm_modeset_ctl(struct drm_device *dev, void *data,
goto out;
crtc = modeset->crtc;
if (crtc >= dev->num_crtcs) {
if (crtc < 0 || crtc >= dev->num_crtcs) {
ret = EINVAL;
goto out;
}

4
sys/dev/hpt27xx/hpt27xx_osm_bsd.c
View file

@ -1402,7 +1402,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
HPT_U32 bytesReturned;
HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@ -1432,7 +1432,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
}
if (ioctl_args.nOutBufferSize) {
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}

4
sys/dev/hptnr/hptnr_osm_bsd.c
View file

@ -1584,7 +1584,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
HPT_U32 bytesReturned;
HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@ -1614,7 +1614,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
}
if (ioctl_args.nOutBufferSize) {
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}

4
sys/dev/hptrr/hptrr_osm_bsd.c
View file

@ -1231,7 +1231,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
HPT_U32 bytesReturned;
HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@ -1261,7 +1261,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
}
if (ioctl_args.nOutBufferSize) {
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}

1
sys/i386/ibcs2/ibcs2_misc.c
View file

@ -342,6 +342,7 @@ ibcs2_getdents(td, uap)
#define BSD_DIRENT(cp) ((struct dirent *)(cp))
#define IBCS2_RECLEN(reclen) (reclen + sizeof(u_short))
memset(&idb, 0, sizeof(idb));
error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
if (error != 0)
return (error);