From 38c36d9914a1b043adebcc1eac9c25bcc422771c Mon Sep 17 00:00:00 2001
From: emaste <emaste@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Thu, 29 Mar 2018 22:31:14 +0000
Subject: [PATCH] MF11 r331330: Fix kernel memory disclosure in
 svr4_sys_getdents64

svr4_sys_getdents64() copies a dirent structure to userland.  When
calculating the record length for any given dirent entry alignment is
performed.  However, the aligned bytes are not cleared, this will
trigger an info leak.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
Security:	Kernel memory disclosure (801)
Sponsored by:	The FreeBSD Foundation


git-svn-id: svn://svn.freebsd.org/base/stable/10@331749 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sys/compat/svr4/svr4_misc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/compat/svr4/svr4_misc.c b/sys/compat/svr4/svr4_misc.c
index 5d1a40981..f01efc5f8 100644
--- a/sys/compat/svr4/svr4_misc.c
+++ b/sys/compat/svr4/svr4_misc.c
@@ -260,6 +260,7 @@ svr4_sys_getdents64(td, uap)
 	u_long *cookies = NULL, *cookiep;
 	int ncookies;
 
+	memset(&svr4_dirent, 0, sizeof(svr4_dirent));
 	DPRINTF(("svr4_sys_getdents64(%d, *, %d)\n",
 		uap->fd, uap->nbytes));
 	error = getvnode(td->td_proc->p_fd, uap->fd,
-- 
2.45.0