From owner-svn-src-stable-11@freebsd.org  Sun Apr  8 20:50:17 2018
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB9BBFA1E72;
 Sun,  8 Apr 2018 20:50:17 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7DA907C37C;
 Sun,  8 Apr 2018 20:50:17 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 76F1315022;
 Sun,  8 Apr 2018 20:50:17 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w38KoHQH031650;
 Sun, 8 Apr 2018 20:50:17 GMT (envelope-from emaste@FreeBSD.org)
Received: (from emaste@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w38KoHug031646;
 Sun, 8 Apr 2018 20:50:17 GMT (envelope-from emaste@FreeBSD.org)
Message-Id: <201804082050.w38KoHug031646@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: emaste set sender to
 emaste@FreeBSD.org using -f
From: Ed Maste <emaste@FreeBSD.org>
Date: Sun, 8 Apr 2018 20:50:17 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r332303 - stable/11/sys/dev/ath
X-SVN-Group: stable-11
X-SVN-Commit-Author: emaste
X-SVN-Commit-Paths: stable/11/sys/dev/ath
X-SVN-Commit-Revision: 332303
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Apr 2018 20:50:18 -0000

Author: emaste
Date: Sun Apr  8 20:50:16 2018
New Revision: 332303
URL: https://svnweb.freebsd.org/changeset/base/332303

Log:
  MFC ath(4) potential memory disclosure fixes
  
  [1] r327499: ath: fix memory disclosure from ath_btcoex_ioctl
  
  The ath_btcoex_ioctl handler allocated a buffer without M_ZERO and
  returned it to userland without writing to it.
  
  The device has permissions only for root so this is not urgent, and the
  fix can be MFCd and considered for a future EN.
  
  [2] r327500: ath: fix possible memory disclosures in ioctl handlers
  
  Apply the fix from r327499 to additional ioctl handlers.
  
  [3] r327529: ath: fix possible memory disclosure in ioctl handler
  
  Submitted by:	Domagoj Stolfa <domagoj.stolfa@gmail.com> [1,3]
  Reported by:	Ilja van Sprundel <ivansprundel@ioactive.com> [1,2]
  Reviewed by:	adrian [1]
  Sponsored by:	The FreeBSD Foundation

Modified:
  stable/11/sys/dev/ath/if_ath_btcoex.c
  stable/11/sys/dev/ath/if_ath_ioctl.c
  stable/11/sys/dev/ath/if_ath_lna_div.c
  stable/11/sys/dev/ath/if_ath_spectral.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/dev/ath/if_ath_btcoex.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_btcoex.c	Sun Apr  8 20:30:52 2018	(r332302)
+++ stable/11/sys/dev/ath/if_ath_btcoex.c	Sun Apr  8 20:50:16 2018	(r332303)
@@ -457,7 +457,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -466,6 +466,7 @@ ath_btcoex_ioctl(struct ath_softc *sc, struct ath_diag
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

Modified: stable/11/sys/dev/ath/if_ath_ioctl.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_ioctl.c	Sun Apr  8 20:30:52 2018	(r332302)
+++ stable/11/sys/dev/ath/if_ath_ioctl.c	Sun Apr  8 20:50:16 2018	(r332303)
@@ -197,7 +197,7 @@ ath_ioctl_diag(struct ath_softc *sc, struct ath_diag *
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;

Modified: stable/11/sys/dev/ath/if_ath_lna_div.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_lna_div.c	Sun Apr  8 20:30:52 2018	(r332302)
+++ stable/11/sys/dev/ath/if_ath_lna_div.c	Sun Apr  8 20:50:16 2018	(r332303)
@@ -187,7 +187,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -196,6 +196,7 @@ ath_lna_div_ioctl(struct ath_softc *sc, struct ath_dia
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;

Modified: stable/11/sys/dev/ath/if_ath_spectral.c
==============================================================================
--- stable/11/sys/dev/ath/if_ath_spectral.c	Sun Apr  8 20:30:52 2018	(r332302)
+++ stable/11/sys/dev/ath/if_ath_spectral.c	Sun Apr  8 20:50:16 2018	(r332303)
@@ -212,7 +212,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -275,6 +275,7 @@ ath_ioctl_spectral(struct ath_softc *sc, struct ath_di
 		break;
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;