From 7a37f4cc69ff6c5507e5652a3a273204d40fedaf Mon Sep 17 00:00:00 2001
From: emaste <emaste@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 28 Mar 2018 13:44:02 +0000
Subject: [PATCH] MFC r331329: Fix kernel memory disclosure in ibcs2_getdents

ibcs2_getdents() copies a dirent structure to userland.  The ibcs2
dirent structure contains a 2 byte pad element.  This element is never
initialized, but copied to userland none-the-less.

Note that ibcs2 has not built on HEAD since r302095.

Submitted by:	Domagoj Stolfa <ds815@cam.ac.uk>
Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
Security:	Kernel memory disclosure (803)
Sponsored by:	The FreeBSD Foundation


git-svn-id: svn://svn.freebsd.org/base/stable/10@331671 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sys/i386/ibcs2/ibcs2_misc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/i386/ibcs2/ibcs2_misc.c b/sys/i386/ibcs2/ibcs2_misc.c
index 270147145..b0e1dff30 100644
--- a/sys/i386/ibcs2/ibcs2_misc.c
+++ b/sys/i386/ibcs2/ibcs2_misc.c
@@ -352,6 +352,7 @@ ibcs2_getdents(td, uap)
 #define	BSD_DIRENT(cp)		((struct dirent *)(cp))
 #define	IBCS2_RECLEN(reclen)	(reclen + sizeof(u_short))
 
+	memset(&idb, 0, sizeof(idb));
 	error = getvnode(td->td_proc->p_fd, uap->fd,
 	    cap_rights_init(&rights, CAP_READ), &fp);
 	if (error != 0)
-- 
2.45.0