d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hpt27xx: plug info leak in hpt_ioctl

Browse Source 
The hpt27xx ioctl handler allocates a buffer without M_ZERO and calls
hpt_do_ioctl(), which might not overwrite the entire buffer.

Also zero bytesReturned in case it is not written by hpt_do_ioctl().

The hpt27xx device has permissions only for root so this is not urgent,
and the fix can be MFCd and considered for a future EN.

Reported by:	Ilja van Sprundel <ivansprundel@ioactive.com>
Submitted by:	Domagoj Stolfa <domagoj.stolfa@gmail.com> (M_ZERO)
Reviewed by:	jhb, kib
MFC after:	3 days
Security:	info leak in root-only ioctl
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Ed Maste 2018-01-02 18:29:44 +00:00
parent 1787c3feb4
commit 51cbc81510
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=327497
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/dev/hpt27xx/hpt27xx_osm_bsd.c
View File

@ -1404,7 +1404,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
{
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
IOCTL_ARG ioctl_args;
HPT_U32 bytesReturned;
HPT_U32 bytesReturned = 0;
switch (cmd){
case HPT_DO_IOCONTROL:
@ -1434,7 +1434,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
}
if (ioctl_args.nOutBufferSize) {
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
if (!ioctl_args.lpOutBuffer)
goto invalid;
}