Fix kernel memory disclosure in ibcs2_getdents

ibcs2_getdents() copies a dirent structure to userland. The ibcs2 dirent structure contains a 2 byte pad element. This element is never initialized, but copied to userland none-the-less. Note that ibcs2 has not built on HEAD since r302095. Submitted by: Domagoj Stolfa <ds815@cam.ac.uk> Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 3 days Security: Kernel memory disclosure (803)
2018-03-21 23:26:42 +00:00 · 2018-03-21 23:26:42 +00:00 · 24f2ef9bb9
commit 24f2ef9bb9
parent 5aab68f24a
1 changed files with 1 additions and 0 deletions
--- a/sys/i386/ibcs2/ibcs2_misc.c
+++ b/sys/i386/ibcs2/ibcs2_misc.c
@ -330,6 +330,7 @@ ibcs2_getdents(struct thread *td, struct ibcs2_getdents_args *uap)
 #define	BSD_DIRENT(cp)		((struct dirent *)(cp))
 #define	IBCS2_RECLEN(reclen)	(reclen + sizeof(u_short))

+	memset(&idb, 0, sizeof(idb));
 	error = getvnode(td, uap->fd, cap_rights_init(&rights, CAP_READ), &fp);
 	if (error != 0)
 		return (error);