hpt{nr,rr}: plug info leak in hpt_ioctl
The hpt{nr,rr} ioctl handler allocates a buffer without M_ZERO and calls hpt_do_ioctl(), which might not overwrite the entire buffer. Also zero bytesReturned in case it is not written by hpt_do_ioctl(). The hpt27{nr,rr} device has permissions only for root so this is not urgent, and the fix can be MFCd and considered for a future EN. The same issue was reported in the hpt27xx driver by Ilja Van Sprundel. Reviewed by: jhb, kib MFC after: 3 days Sponsored by: The FreeBSD Foundation
This commit is contained in:
parent
51cbc81510
commit
5d8501f487
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=327498
@ -1586,7 +1586,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
|
||||
{
|
||||
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
|
||||
IOCTL_ARG ioctl_args;
|
||||
HPT_U32 bytesReturned;
|
||||
HPT_U32 bytesReturned = 0;
|
||||
|
||||
switch (cmd){
|
||||
case HPT_DO_IOCONTROL:
|
||||
@ -1616,7 +1616,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
|
||||
}
|
||||
|
||||
if (ioctl_args.nOutBufferSize) {
|
||||
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
|
||||
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
|
||||
if (!ioctl_args.lpOutBuffer)
|
||||
goto invalid;
|
||||
}
|
||||
|
@ -1233,7 +1233,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
|
||||
{
|
||||
PHPT_IOCTL_PARAM piop=(PHPT_IOCTL_PARAM)data;
|
||||
IOCTL_ARG ioctl_args;
|
||||
HPT_U32 bytesReturned;
|
||||
HPT_U32 bytesReturned = 0;
|
||||
|
||||
switch (cmd){
|
||||
case HPT_DO_IOCONTROL:
|
||||
@ -1263,7 +1263,7 @@ static int hpt_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, stru
|
||||
}
|
||||
|
||||
if (ioctl_args.nOutBufferSize) {
|
||||
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK);
|
||||
ioctl_args.lpOutBuffer = malloc(ioctl_args.nOutBufferSize, M_DEVBUF, M_WAITOK | M_ZERO);
|
||||
if (!ioctl_args.lpOutBuffer)
|
||||
goto invalid;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user