CVS commit: src/sys/dev

Taylor R Campbell Thu, 09 Sep 2021 16:26:45 -0700

Module Name:    src
Committed By:   riastradh
Date:           Thu Sep  9 23:26:37 UTC 2021


Modified Files:
        src/sys/dev/isa: mcd.c
        src/sys/dev/pci: if_iwi.c
        src/sys/dev/raidframe: rf_netbsdkintf.c
        src/sys/dev/scsipi: ses.c

Log Message:
sys/dev: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure.  If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.

I think the iwi(4), mcd(4), and ses(4) changes actually plug leaks;
the raidframe(4) change probably doesn't (but doesn't hurt).


To generate a diff of this commit:
cvs rdiff -u -r1.120 -r1.121 src/sys/dev/isa/mcd.c
cvs rdiff -u -r1.116 -r1.117 src/sys/dev/pci/if_iwi.c
cvs rdiff -u -r1.400 -r1.401 src/sys/dev/raidframe/rf_netbsdkintf.c
cvs rdiff -u -r1.51 -r1.52 src/sys/dev/scsipi/ses.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/isa/mcd.c
diff -u src/sys/dev/isa/mcd.c:1.120 src/sys/dev/isa/mcd.c:1.121
--- src/sys/dev/isa/mcd.c:1.120	Mon Feb 24 12:20:29 2020
+++ src/sys/dev/isa/mcd.c	Thu Sep  9 23:26:36 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: mcd.c,v 1.120 2020/02/24 12:20:29 rin Exp $	*/
+/*	$NetBSD: mcd.c,v 1.121 2021/09/09 23:26:36 riastradh Exp $	*/
 
 /*
  * Copyright (c) 1993, 1994, 1995 Charles M. Hannum.  All rights reserved.
@@ -56,7 +56,7 @@
 /*static char COPYRIGHT[] = "mcd-driver (C)1993 by H.Veit & B.Moore";*/
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mcd.c,v 1.120 2020/02/24 12:20:29 rin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mcd.c,v 1.121 2021/09/09 23:26:36 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1601,6 +1601,7 @@ mcd_read_subchannel(struct mcd_softc *sc
 	if ((error = mcd_getqchan(sc, &q, ch->data_format)) != 0)
 		return error;
 
+	memset(info, 0, sizeof(*info));
 	info->header.audio_status = sc->audio_status;
 	info->what.media_catalog.data_format = ch->data_format;
 

Index: src/sys/dev/pci/if_iwi.c
diff -u src/sys/dev/pci/if_iwi.c:1.116 src/sys/dev/pci/if_iwi.c:1.117
--- src/sys/dev/pci/if_iwi.c:1.116	Wed Jun 16 00:21:18 2021
+++ src/sys/dev/pci/if_iwi.c	Thu Sep  9 23:26:36 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_iwi.c,v 1.116 2021/06/16 00:21:18 riastradh Exp $  */
+/*	$NetBSD: if_iwi.c,v 1.117 2021/09/09 23:26:36 riastradh Exp $  */
 /*	$OpenBSD: if_iwi.c,v 1.111 2010/11/15 19:11:57 damien Exp $	*/
 
 /*-
@@ -19,7 +19,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_iwi.c,v 1.116 2021/06/16 00:21:18 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_iwi.c,v 1.117 2021/09/09 23:26:36 riastradh Exp $");
 
 /*-
  * Intel(R) PRO/Wireless 2200BG/2225BG/2915ABG driver
@@ -1870,8 +1870,9 @@ iwi_get_table0(struct iwi_softc *sc, uin
 {
 	uint32_t size, buf[128];
 
+	memset(buf, 0, sizeof buf);
+
 	if (!(sc->flags & IWI_FLAG_FW_INITED)) {
-		memset(buf, 0, sizeof buf);
 		return copyout(buf, tbl, sizeof buf);
 	}
 

Index: src/sys/dev/raidframe/rf_netbsdkintf.c
diff -u src/sys/dev/raidframe/rf_netbsdkintf.c:1.400 src/sys/dev/raidframe/rf_netbsdkintf.c:1.401
--- src/sys/dev/raidframe/rf_netbsdkintf.c:1.400	Sat Aug 28 16:00:52 2021
+++ src/sys/dev/raidframe/rf_netbsdkintf.c	Thu Sep  9 23:26:37 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: rf_netbsdkintf.c,v 1.400 2021/08/28 16:00:52 oster Exp $	*/
+/*	$NetBSD: rf_netbsdkintf.c,v 1.401 2021/09/09 23:26:37 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2008-2011 The NetBSD Foundation, Inc.
@@ -101,7 +101,7 @@
  ***********************************************************/
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rf_netbsdkintf.c,v 1.400 2021/08/28 16:00:52 oster Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rf_netbsdkintf.c,v 1.401 2021/09/09 23:26:37 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_raid_autoconfig.h"
@@ -3859,6 +3859,8 @@ void
 rf_check_recon_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info)
 {
 
+	memset(info, 0, sizeof(*info));
+
 	if (raidPtr->status != rf_rs_reconstructing) {
 		info->total = 100;
 		info->completed = 100;
@@ -3874,6 +3876,8 @@ void
 rf_check_parityrewrite_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info)
 {
 
+	memset(info, 0, sizeof(*info));
+
 	if (raidPtr->parity_rewrite_in_progress == 1) {
 		info->total = raidPtr->Layout.numStripe;
 		info->completed = raidPtr->parity_rewrite_stripes_done;
@@ -3889,6 +3893,8 @@ void
 rf_check_copyback_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info)
 {
 
+	memset(info, 0, sizeof(*info));
+
 	if (raidPtr->copyback_in_progress == 1) {
 		info->total = raidPtr->Layout.numStripe;
 		info->completed = raidPtr->copyback_stripes_done;

Index: src/sys/dev/scsipi/ses.c
diff -u src/sys/dev/scsipi/ses.c:1.51 src/sys/dev/scsipi/ses.c:1.52
--- src/sys/dev/scsipi/ses.c:1.51	Fri Mar  8 08:35:58 2019
+++ src/sys/dev/scsipi/ses.c	Thu Sep  9 23:26:37 2021
@@ -1,4 +1,4 @@
-/*	$NetBSD: ses.c,v 1.51 2019/03/08 08:35:58 msaitoh Exp $ */
+/*	$NetBSD: ses.c,v 1.52 2021/09/09 23:26:37 riastradh Exp $ */
 /*
  * Copyright (C) 2000 National Aeronautics & Space Administration
  * All rights reserved.
@@ -26,7 +26,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ses.c,v 1.51 2019/03/08 08:35:58 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ses.c,v 1.52 2021/09/09 23:26:37 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_scsi.h"
@@ -415,6 +415,7 @@ sesioctl(dev_t dev, u_long cmd, void *ar
 	case SESIOC_GETOBJMAP:
 		if (addr == NULL)
 			return EINVAL;
+		memset(&obj, 0, sizeof(obj));
 		for (uobj = addr, i = 0; i != ssc->ses_nobjects; i++, uobj++) {
 			obj.obj_id = i;
 			obj.subencid = ssc->ses_objmap[i].subenclosure;

CVS commit: src/sys/dev

Reply via email to