[src/trunk]: src/sys/dev sys/dev: Memset zero before copyout.

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b9cda7f85b2e
branches:  trunk
changeset: 1023474:b9cda7f85b2e
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Thu Sep 09 23:26:36 2021 +0000

description:
sys/dev: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure.  If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.

I think the iwi(4), mcd(4), and ses(4) changes actually plug leaks;
the raidframe(4) change probably doesn't (but doesn't hurt).

diffstat:

 sys/dev/isa/mcd.c                  |   5 +++--
 sys/dev/pci/if_iwi.c               |   7 ++++---
 sys/dev/raidframe/rf_netbsdkintf.c |  10 ++++++++--
 sys/dev/scsipi/ses.c               |   5 +++--
 4 files changed, 18 insertions(+), 9 deletions(-)

diffs (126 lines):

diff -r ef60c059ea3f -r b9cda7f85b2e sys/dev/isa/mcd.c
--- a/sys/dev/isa/mcd.c Thu Sep 09 21:47:47 2021 +0000
+++ b/sys/dev/isa/mcd.c Thu Sep 09 23:26:36 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: mcd.c,v 1.120 2020/02/24 12:20:29 rin Exp $    */
+/*     $NetBSD: mcd.c,v 1.121 2021/09/09 23:26:36 riastradh Exp $      */
 
 /*
  * Copyright (c) 1993, 1994, 1995 Charles M. Hannum.  All rights reserved.
@@ -56,7 +56,7 @@
 /*static char COPYRIGHT[] = "mcd-driver (C)1993 by H.Veit & B.Moore";*/
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mcd.c,v 1.120 2020/02/24 12:20:29 rin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mcd.c,v 1.121 2021/09/09 23:26:36 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1601,6 +1601,7 @@
        if ((error = mcd_getqchan(sc, &q, ch->data_format)) != 0)
                return error;
 
+       memset(info, 0, sizeof(*info));
        info->header.audio_status = sc->audio_status;
        info->what.media_catalog.data_format = ch->data_format;
 
diff -r ef60c059ea3f -r b9cda7f85b2e sys/dev/pci/if_iwi.c
--- a/sys/dev/pci/if_iwi.c      Thu Sep 09 21:47:47 2021 +0000
+++ b/sys/dev/pci/if_iwi.c      Thu Sep 09 23:26:36 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_iwi.c,v 1.116 2021/06/16 00:21:18 riastradh Exp $  */
+/*     $NetBSD: if_iwi.c,v 1.117 2021/09/09 23:26:36 riastradh Exp $  */
 /*     $OpenBSD: if_iwi.c,v 1.111 2010/11/15 19:11:57 damien Exp $     */
 
 /*-
@@ -19,7 +19,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_iwi.c,v 1.116 2021/06/16 00:21:18 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_iwi.c,v 1.117 2021/09/09 23:26:36 riastradh Exp $");
 
 /*-
  * Intel(R) PRO/Wireless 2200BG/2225BG/2915ABG driver
@@ -1870,8 +1870,9 @@
 {
        uint32_t size, buf[128];
 
+       memset(buf, 0, sizeof buf);
+
        if (!(sc->flags & IWI_FLAG_FW_INITED)) {
-               memset(buf, 0, sizeof buf);
                return copyout(buf, tbl, sizeof buf);
        }
 
diff -r ef60c059ea3f -r b9cda7f85b2e sys/dev/raidframe/rf_netbsdkintf.c
--- a/sys/dev/raidframe/rf_netbsdkintf.c        Thu Sep 09 21:47:47 2021 +0000
+++ b/sys/dev/raidframe/rf_netbsdkintf.c        Thu Sep 09 23:26:36 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: rf_netbsdkintf.c,v 1.400 2021/08/28 16:00:52 oster Exp $       */
+/*     $NetBSD: rf_netbsdkintf.c,v 1.401 2021/09/09 23:26:37 riastradh Exp $   */
 
 /*-
  * Copyright (c) 1996, 1997, 1998, 2008-2011 The NetBSD Foundation, Inc.
@@ -101,7 +101,7 @@
  ***********************************************************/
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rf_netbsdkintf.c,v 1.400 2021/08/28 16:00:52 oster Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rf_netbsdkintf.c,v 1.401 2021/09/09 23:26:37 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_raid_autoconfig.h"
@@ -3859,6 +3859,8 @@
 rf_check_recon_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info)
 {
 
+       memset(info, 0, sizeof(*info));
+
        if (raidPtr->status != rf_rs_reconstructing) {
                info->total = 100;
                info->completed = 100;
@@ -3874,6 +3876,8 @@
 rf_check_parityrewrite_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info)
 {
 
+       memset(info, 0, sizeof(*info));
+
        if (raidPtr->parity_rewrite_in_progress == 1) {
                info->total = raidPtr->Layout.numStripe;
                info->completed = raidPtr->parity_rewrite_stripes_done;
@@ -3889,6 +3893,8 @@
 rf_check_copyback_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info)
 {
 
+       memset(info, 0, sizeof(*info));
+
        if (raidPtr->copyback_in_progress == 1) {
                info->total = raidPtr->Layout.numStripe;
                info->completed = raidPtr->copyback_stripes_done;
diff -r ef60c059ea3f -r b9cda7f85b2e sys/dev/scsipi/ses.c
--- a/sys/dev/scsipi/ses.c      Thu Sep 09 21:47:47 2021 +0000
+++ b/sys/dev/scsipi/ses.c      Thu Sep 09 23:26:36 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ses.c,v 1.51 2019/03/08 08:35:58 msaitoh Exp $ */
+/*     $NetBSD: ses.c,v 1.52 2021/09/09 23:26:37 riastradh Exp $ */
 /*
  * Copyright (C) 2000 National Aeronautics & Space Administration
  * All rights reserved.
@@ -26,7 +26,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ses.c,v 1.51 2019/03/08 08:35:58 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ses.c,v 1.52 2021/09/09 23:26:37 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_scsi.h"
@@ -415,6 +415,7 @@
        case SESIOC_GETOBJMAP:
                if (addr == NULL)
                        return EINVAL;
+               memset(&obj, 0, sizeof(obj));
                for (uobj = addr, i = 0; i != ssc->ses_nobjects; i++, uobj++) {
                        obj.obj_id = i;
                        obj.subencid = ssc->ses_objmap[i].subenclosure;