From 031088804f247b1d2cf2263f6c25ee314c0dc528 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 9 Aug 2021 15:08:32 +0000 Subject: [PATCH 1/7] compat_netbsd32: Copy out 32-bit version in nfssvc32_nsd_out. --- sys/compat/netbsd32/netbsd32_nfssvc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/compat/netbsd32/netbsd32_nfssvc.c b/sys/compat/netbsd32/netbsd32_nfssvc.c index aacd4ae641e3..91e01393e3e7 100644 --- a/sys/compat/netbsd32/netbsd32_nfssvc.c +++ b/sys/compat/netbsd32/netbsd32_nfssvc.c @@ -134,7 +134,7 @@ nfssvc32_nsd_out(void *argp, const struct nfsd_srvargs *nsd) args32.nsd_key[0] = nsd->nsd_key[0]; args32.nsd_key[1] = nsd->nsd_key[1]; - return copyout(nsd, argp, sizeof *nsd); + return copyout(&args32, argp, sizeof args32); } static int From e7146cf0ac3e60ca9f38b792e9ba368d77a01845 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 9 Aug 2021 15:27:58 +0000 Subject: [PATCH 2/7] sys/compat: Don't clobber f_oflags with zero. Mistake was introduced in previous refactoring. --- sys/compat/sys/mount.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/compat/sys/mount.h b/sys/compat/sys/mount.h index eaec28c9d324..639c2fadc29d 100644 --- a/sys/compat/sys/mount.h +++ b/sys/compat/sys/mount.h @@ -101,10 +101,12 @@ static __inline void statvfs_to_statfs12(const struct statvfs *fs, struct statfs12 *s12) { size_t i = 0; + + memset(s12, 0, sizeof(*s12)); + s12->f_type = 0; s12->f_oflags = (short)fs->f_flag; - memset(s12, 0, sizeof(*s12)); for (i = 0; i < sizeof(__nv) / sizeof(__nv[0]); i++) { if (strcmp(__nv[i].name, fs->f_fstypename) == 0) { s12->f_type = __nv[i].value; From b091aee32bb369602c62c00730348fa77e5121a2 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 9 Aug 2021 16:03:34 +0000 Subject: [PATCH 3/7] sys/altq: Memset zero before copyout. Just in case of uninitialized padding which would lead to kernel stack disclosure. If the compiler can prove the memset redundant then it can optimize it away; otherwise better safe than sorry. --- sys/altq/altq_hfsc.c | 1 + sys/altq/altq_priq.c | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/altq/altq_hfsc.c b/sys/altq/altq_hfsc.c index 96cfa7f878d4..ef55c0780675 100644 --- a/sys/altq/altq_hfsc.c +++ b/sys/altq/altq_hfsc.c @@ -2182,6 +2182,7 @@ hfsccmd_class_stats(struct hfsc_class_stats *ap) usp = ap->stats; for (n = 0; cl != NULL && n < nclasses; cl = hfsc_nextclass(cl), n++) { + memset(&stats, 0, sizeof(stats)); get_class_stats(&stats, cl); if ((error = copyout((void *)&stats, (void *)usp++, diff --git a/sys/altq/altq_priq.c b/sys/altq/altq_priq.c index 7e8cd57f5a0b..6a04923d343c 100644 --- a/sys/altq/altq_priq.c +++ b/sys/altq/altq_priq.c @@ -958,10 +958,9 @@ priqcmd_class_stats(struct priq_class_stats *ap) usp = ap->stats; for (pri = 0; pri <= pif->pif_maxpri; pri++) { cl = pif->pif_classes[pri]; + memset(&stats, 0, sizeof(stats)); if (cl != NULL) get_class_stats(&stats, cl); - else - memset(&stats, 0, sizeof(stats)); if ((error = copyout((void *)&stats, (void *)usp++, sizeof(stats))) != 0) return (error); From dd89b136e00e4b88a11141d3193513f0ae0cc425 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Mon, 9 Aug 2021 16:04:44 +0000 Subject: [PATCH 4/7] sys/compat: Memset zero before copyout. Just in case of uninitialized padding which would lead to kernel stack disclosure. If the compiler can prove the memset redundant then it can optimize it away; otherwise better safe than sorry. --- sys/compat/common/ieee80211_20.c | 3 + sys/compat/common/if_media_80.c | 3 +- sys/compat/common/kern_info_09.c | 1 + sys/compat/common/kern_info_43.c | 2 + sys/compat/common/kern_resource_43.c | 1 + sys/compat/common/kern_sig_13.c | 3 + sys/compat/common/kern_sig_43.c | 6 ++ sys/compat/common/kern_time_50.c | 2 + sys/compat/common/vfs_syscalls_12.c | 2 + sys/compat/common/vfs_syscalls_30.c | 3 + sys/compat/common/vfs_syscalls_43.c | 1 + sys/compat/freebsd/freebsd_machdep.c | 2 + sys/compat/freebsd/freebsd_misc.c | 1 + sys/compat/freebsd/freebsd_sched.c | 1 + sys/compat/linux/arch/alpha/linux_machdep.c | 4 ++ sys/compat/linux/arch/alpha/linux_osf1.c | 5 +- sys/compat/linux/arch/amd64/linux_machdep.c | 1 + sys/compat/linux/arch/arm/linux_machdep.c | 2 + sys/compat/linux/arch/arm/linux_ptrace.c | 1 + sys/compat/linux/arch/i386/linux_machdep.c | 7 +++ sys/compat/linux/arch/i386/linux_ptrace.c | 1 + sys/compat/linux/arch/m68k/linux_machdep.c | 4 ++ sys/compat/linux/arch/mips/linux_machdep.c | 1 + .../linux/arch/powerpc/linux_exec_powerpc.c | 2 +- sys/compat/linux/arch/powerpc/linux_machdep.c | 1 + sys/compat/linux/arch/powerpc/linux_ptrace.c | 3 +- sys/compat/linux/common/linux_cdrom.c | 2 + sys/compat/linux/common/linux_fdio.c | 1 + sys/compat/linux/common/linux_file.c | 1 + sys/compat/linux/common/linux_hdio.c | 2 + sys/compat/linux/common/linux_misc.c | 3 + sys/compat/linux/common/linux_mtio.c | 1 + sys/compat/linux/common/linux_oldolduname.c | 2 + sys/compat/linux/common/linux_olduname.c | 2 + sys/compat/linux/common/linux_sched.c | 2 + sys/compat/linux/common/linux_signal.c | 8 +++ sys/compat/linux/common/linux_socket.c | 3 + sys/compat/linux/common/linux_time.c | 2 + .../linux32/arch/amd64/linux32_machdep.c | 2 + .../linux32/common/linux32_exec_elf32.c | 2 + sys/compat/linux32/common/linux32_resource.c | 1 + sys/compat/linux32/common/linux32_signal.c | 2 + sys/compat/linux32/common/linux32_time.c | 6 ++ sys/compat/netbsd32/netbsd32_compat_12.c | 1 + sys/compat/netbsd32/netbsd32_compat_20.c | 2 + sys/compat/netbsd32/netbsd32_compat_43.c | 2 + sys/compat/netbsd32/netbsd32_compat_50.c | 6 ++ sys/compat/netbsd32/netbsd32_conv.h | 60 +++++++++++++++++-- sys/compat/netbsd32/netbsd32_nfssvc.c | 1 + sys/compat/netbsd32/netbsd32_ptrace.c | 3 + sys/compat/netbsd32/netbsd32_signal.c | 3 + sys/compat/netbsd32/netbsd32_time.c | 4 ++ sys/compat/netbsd32/netbsd32_wait.c | 1 + sys/compat/ossaudio/ossaudio.c | 4 ++ sys/compat/sunos/sunos_ioctl.c | 16 +++++ sys/compat/sunos/sunos_misc.c | 3 + sys/compat/sunos32/sunos32_ioctl.c | 17 ++++++ sys/compat/sunos32/sunos32_misc.c | 4 ++ sys/compat/sys/statvfs.h | 3 + sys/compat/sys/time_types.h | 41 +++++++------ sys/compat/ultrix/ultrix_ioctl.c | 9 +++ sys/compat/ultrix/ultrix_misc.c | 5 ++ 62 files changed, 265 insertions(+), 25 deletions(-) diff --git a/sys/compat/common/ieee80211_20.c b/sys/compat/common/ieee80211_20.c index d61b71f388fd..c7f5acd4b291 100644 --- a/sys/compat/common/ieee80211_20.c +++ b/sys/compat/common/ieee80211_20.c @@ -76,6 +76,9 @@ static void ieee80211_get_ostats(struct ieee80211_ostats *ostats, struct ieee80211_stats *stats) { + + memset(ostats, 0, sizeof(*ostats)); + #define COPYSTATS1(__ostats, __nstats, __dstmemb, __srcmemb, __lastmemb)\ (void)memcpy(&(__ostats)->__dstmemb, &(__nstats)->__srcmemb, \ offsetof(struct ieee80211_stats, __lastmemb) - \ diff --git a/sys/compat/common/if_media_80.c b/sys/compat/common/if_media_80.c index 7958577afd24..f0e8fd34a293 100644 --- a/sys/compat/common/if_media_80.c +++ b/sys/compat/common/if_media_80.c @@ -141,7 +141,8 @@ compat_ifmediareq_post(struct ifreq *ifr, u_long cmd) * there is no problem to trust ifm_count. */ minwords = ifmr->ifm_count; - kptr = malloc(minwords * sizeof(*kptr), M_TEMP, M_WAITOK); + kptr = malloc(minwords * sizeof(*kptr), M_TEMP, + M_WAITOK|M_ZERO); if (kptr == NULL) return ENOMEM; diff --git a/sys/compat/common/kern_info_09.c b/sys/compat/common/kern_info_09.c index 149a575f4b4c..795760b23b9b 100644 --- a/sys/compat/common/kern_info_09.c +++ b/sys/compat/common/kern_info_09.c @@ -120,6 +120,7 @@ compat_09_sys_uname(struct lwp *l, const char *cp; char *dp, *ep; + memset(&outsname, 0, sizeof(outsname)); strncpy(outsname.sysname, ostype, sizeof(outsname.sysname)); strncpy(outsname.nodename, hostname, sizeof(outsname.nodename)); strncpy(outsname.release, osrelease, sizeof(outsname.release)); diff --git a/sys/compat/common/kern_info_43.c b/sys/compat/common/kern_info_43.c index 81009d191c89..70670f283d4b 100644 --- a/sys/compat/common/kern_info_43.c +++ b/sys/compat/common/kern_info_43.c @@ -263,6 +263,8 @@ compat_43_sys_getkerninfo(struct lwp *l, const struct compat_43_sys_getkerninfo_ break; } + memset(&ksi, 0, sizeof(ksi)); + #define COPY(fld) \ ksi.fld = us - (u_long) usi; \ if ((error = copyoutstr(fld, us, 1024, &len)) != 0)\ diff --git a/sys/compat/common/kern_resource_43.c b/sys/compat/common/kern_resource_43.c index a0730c9ef340..4defba33cc7f 100644 --- a/sys/compat/common/kern_resource_43.c +++ b/sys/compat/common/kern_resource_43.c @@ -77,6 +77,7 @@ compat_43_sys_getrlimit(struct lwp *l, const struct compat_43_sys_getrlimit_args if ((u_int)which >= RLIM_NLIMITS) return (EINVAL); + memset(&olim, 0, sizeof(olim)); olim.rlim_cur = p->p_rlimit[which].rlim_cur; if (olim.rlim_cur == -1) olim.rlim_cur = 0x7fffffff; diff --git a/sys/compat/common/kern_sig_13.c b/sys/compat/common/kern_sig_13.c index 453dbc0d7882..f945de71108c 100644 --- a/sys/compat/common/kern_sig_13.c +++ b/sys/compat/common/kern_sig_13.c @@ -73,6 +73,7 @@ void native_sigset13_to_sigset(const sigset13_t *oss, sigset_t *ss) { + memset(ss, 0, sizeof(*ss)); ss->__bits[0] = *oss; ss->__bits[1] = 0; ss->__bits[2] = 0; @@ -90,6 +91,7 @@ void native_sigaction13_to_sigaction(const struct sigaction13 *osa, struct sigaction *sa) { + memset(sa, 0, sizeof(*sa)); sa->sa_handler = osa->osa_handler; native_sigset13_to_sigset(&osa->osa_mask, &sa->sa_mask); sa->sa_flags = osa->osa_flags; @@ -99,6 +101,7 @@ void native_sigaction_to_sigaction13(const struct sigaction *sa, struct sigaction13 *osa) { + memset(osa, 0, sizeof(*osa)); osa->osa_handler = sa->sa_handler; native_sigset_to_sigset13(&sa->sa_mask, &osa->osa_mask); osa->osa_flags = sa->sa_flags; diff --git a/sys/compat/common/kern_sig_43.c b/sys/compat/common/kern_sig_43.c index 4aa9e5fb0963..86637953e2e7 100644 --- a/sys/compat/common/kern_sig_43.c +++ b/sys/compat/common/kern_sig_43.c @@ -86,6 +86,7 @@ void compat_43_sigmask_to_sigset(const int *sm, sigset_t *ss) { + memset(ss, 0, sizeof(*ss)); ss->__bits[0] = *sm; ss->__bits[1] = 0; ss->__bits[2] = 0; @@ -102,6 +103,8 @@ compat_43_sigset_to_sigmask(const sigset_t *ss, int *sm) void compat_43_sigvec_to_sigaction(const struct sigvec *sv, struct sigaction *sa) { + + memset(sa, 0, sizeof(*sa)); sa->sa_handler = sv->sv_handler; compat_43_sigmask_to_sigset(&sv->sv_mask, &sa->sa_mask); sa->sa_flags = sv->sv_flags ^ SA_RESTART; @@ -110,6 +113,8 @@ compat_43_sigvec_to_sigaction(const struct sigvec *sv, struct sigaction *sa) void compat_43_sigaction_to_sigvec(const struct sigaction *sa, struct sigvec *sv) { + + memset(sv, 0, sizeof(*sv)); sv->sv_handler = sa->sa_handler; compat_43_sigset_to_sigmask(&sa->sa_mask, &sv->sv_mask); sv->sv_flags = sa->sa_flags ^ SA_RESTART; @@ -118,6 +123,7 @@ compat_43_sigaction_to_sigvec(const struct sigaction *sa, struct sigvec *sv) void compat_43_sigstack_to_sigaltstack(const struct sigstack *ss, struct sigaltstack *sa) { + memset(sa, 0, sizeof(*sa)); sa->ss_sp = ss->ss_sp; sa->ss_size = SIGSTKSZ; /* Use the recommended size */ sa->ss_flags = 0; diff --git a/sys/compat/common/kern_time_50.c b/sys/compat/common/kern_time_50.c index 3b37c892f470..5db953f1b026 100644 --- a/sys/compat/common/kern_time_50.c +++ b/sys/compat/common/kern_time_50.c @@ -226,6 +226,7 @@ compat_50_sys_gettimeofday(struct lwp *l, * NetBSD has no kernel notion of time zone, so we just * fake up a timezone struct and return it if demanded. */ + memset(&tzfake, 0, sizeof(tzfake)); tzfake.tz_minuteswest = 0; tzfake.tz_dsttime = 0; error = copyout(&tzfake, SCARG(uap, tzp), sizeof(tzfake)); @@ -458,6 +459,7 @@ compat_50_sys_mq_timedreceive(struct lwp *l, void rusage_to_rusage50(const struct rusage *ru, struct rusage50 *ru50) { + memset(ru50, 0, sizeof(*ru50)); (void)memcpy(&ru50->ru_first, &ru->ru_first, (char *)&ru50->ru_last - (char *)&ru50->ru_first + sizeof(ru50->ru_last)); diff --git a/sys/compat/common/vfs_syscalls_12.c b/sys/compat/common/vfs_syscalls_12.c index 4ec2f1be974a..61c27648f330 100644 --- a/sys/compat/common/vfs_syscalls_12.c +++ b/sys/compat/common/vfs_syscalls_12.c @@ -82,6 +82,7 @@ void compat_12_stat_conv(const struct stat *st, struct stat12 *ost) { + memset(ost, 0, sizeof(*ost)); ost->st_dev = st->st_dev; ost->st_ino = st->st_ino; ost->st_mode = st->st_mode & 0xffff; @@ -201,6 +202,7 @@ again: off += reclen; continue; } + memset(&idb, 0, sizeof(idb)); if (bdp->d_namlen >= sizeof(idb.d_name)) idb.d_namlen = sizeof(idb.d_name) - 1; else diff --git a/sys/compat/common/vfs_syscalls_30.c b/sys/compat/common/vfs_syscalls_30.c index 4ecb96efbdba..aa51428b545e 100644 --- a/sys/compat/common/vfs_syscalls_30.c +++ b/sys/compat/common/vfs_syscalls_30.c @@ -85,6 +85,7 @@ static void cvtstat(struct stat13 *ost, const struct stat *st) { + memset(ost, 0, sizeof(*ost)); ost->st_dev = st->st_dev; ost->st_ino = (uint32_t)st->st_ino; ost->st_mode = st->st_mode; @@ -302,6 +303,7 @@ again: error = EINVAL; goto out; } + memset(&idb, 0, sizeof(idb)); if (bdp->d_namlen >= sizeof(idb.d_name)) idb.d_namlen = sizeof(idb.d_name) - 1; else @@ -392,6 +394,7 @@ compat_30_sys_getfh(struct lwp *l, const struct compat_30_sys_getfh_args *uap, sz = sizeof(struct compat_30_fhandle); error = vfs_composefh(vp, (void *)&fh, &sz); vput(vp); + CTASSERT(FHANDLE_SIZE_COMPAT == sizeof(struct compat_30_fhandle)); if (sz != FHANDLE_SIZE_COMPAT) { error = EINVAL; } diff --git a/sys/compat/common/vfs_syscalls_43.c b/sys/compat/common/vfs_syscalls_43.c index 4462e4b0b8e1..f1bfacc7fc76 100644 --- a/sys/compat/common/vfs_syscalls_43.c +++ b/sys/compat/common/vfs_syscalls_43.c @@ -427,6 +427,7 @@ again: off += reclen; continue; } + memset(&idb, 0, sizeof(idb)); if (bdp->d_namlen >= sizeof(idb.d_name)) idb.d_namlen = sizeof(idb.d_name) - 1; else diff --git a/sys/compat/freebsd/freebsd_machdep.c b/sys/compat/freebsd/freebsd_machdep.c index 366b751edc96..7d896c7c7cde 100644 --- a/sys/compat/freebsd/freebsd_machdep.c +++ b/sys/compat/freebsd/freebsd_machdep.c @@ -88,6 +88,8 @@ freebsd_sendsig(const ksiginfo_t *ksi, const sigset_t *mask) fp--; + memset(&frame, 0, sizeof(frame)); + /* Build stack frame for signal trampoline. */ frame.sf_signum = sig; frame.sf_code = code; diff --git a/sys/compat/freebsd/freebsd_misc.c b/sys/compat/freebsd/freebsd_misc.c index d8fe63f74850..8bd050426944 100644 --- a/sys/compat/freebsd/freebsd_misc.c +++ b/sys/compat/freebsd/freebsd_misc.c @@ -183,6 +183,7 @@ freebsd_sys_sigaction4(struct lwp *l, const struct freebsd_sys_sigaction4_args * if (error) return (error); if (SCARG(uap, osa)) { + memset(&oesa, 0, sizeof(oesa)); oesa.freebsd_sa_handler = obsa.sa_handler; oesa.freebsd_sa_mask = obsa.sa_mask; oesa.freebsd_sa_flags = obsa.sa_flags; diff --git a/sys/compat/freebsd/freebsd_sched.c b/sys/compat/freebsd/freebsd_sched.c index e7c4674f58ce..c2ab93200307 100644 --- a/sys/compat/freebsd/freebsd_sched.c +++ b/sys/compat/freebsd/freebsd_sched.c @@ -122,6 +122,7 @@ sched_native2freebsd(int native_policy, const struct sched_param *native_params, if (native_params != NULL && freebsd_params != NULL) { /* XXX: Needs adjustment to do a proper conversion. */ + memset(freebsd_params, 0, sizeof(*freebsd_params)); freebsd_params->sched_priority = native_params->sched_priority; } diff --git a/sys/compat/linux/arch/alpha/linux_machdep.c b/sys/compat/linux/arch/alpha/linux_machdep.c index e9ee45107fe3..29254630658f 100644 --- a/sys/compat/linux/arch/alpha/linux_machdep.c +++ b/sys/compat/linux/arch/alpha/linux_machdep.c @@ -139,6 +139,8 @@ setup_linux_rt_sigframe(struct trapframe *tf, const ksiginfo_t *ksi, sig, &onstack, sfp); #endif /* DEBUG */ + memset(&sigframe, 0, sizeof(sigframe)); + /* * Build the signal context to be used by sigreturn. */ @@ -232,6 +234,8 @@ void setup_linux_sigframe(struct trapframe *tf, const ksiginfo_t *ksi, sig, &onstack, sfp); #endif /* DEBUG */ + memset(&sigframe, 0, sizeof(sigframe)); + /* * Build the signal context to be used by sigreturn. */ diff --git a/sys/compat/linux/arch/alpha/linux_osf1.c b/sys/compat/linux/arch/alpha/linux_osf1.c index 3575281d1d63..5c4a5058aeee 100644 --- a/sys/compat/linux/arch/alpha/linux_osf1.c +++ b/sys/compat/linux/arch/alpha/linux_osf1.c @@ -109,6 +109,8 @@ static void osf1_cvt_rusage_from_native(const struct rusage *ru, struct osf1_rusage *oru) { + memset(oru, 0, sizeof(*oru)); + oru->ru_utime.tv_sec = ru->ru_utime.tv_sec; oru->ru_utime.tv_usec = ru->ru_utime.tv_usec; @@ -135,7 +137,7 @@ static void osf1_cvt_statfs_from_native(const struct statvfs *bsfs, struct osf1_statfs *osfs) { - memset(osfs, 0, sizeof (struct osf1_statfs)); + memset(osfs, 0, sizeof(*osfs)); if (!strncmp(MOUNT_FFS, bsfs->f_fstypename, sizeof(bsfs->f_fstypename))) osfs->f_type = OSF1_MOUNT_UFS; else if (!strncmp(MOUNT_NFS, bsfs->f_fstypename, sizeof(bsfs->f_fstypename))) @@ -665,6 +667,7 @@ linux_sys_osf1_usleep_thread(struct lwp *l, const struct linux_sys_osf1_usleep_t if (endtv.tv_sec < 0 || endtv.tv_usec < 0) endtv.tv_sec = endtv.tv_usec = 0; + memset(&endotv, 0, sizeof(endotv)); endotv.tv_sec = endtv.tv_sec; endotv.tv_usec = endtv.tv_usec; error = copyout(&endotv, SCARG(uap, slept), sizeof endotv); diff --git a/sys/compat/linux/arch/amd64/linux_machdep.c b/sys/compat/linux/arch/amd64/linux_machdep.c index b962a8b0f499..6ed6f8e57085 100644 --- a/sys/compat/linux/arch/amd64/linux_machdep.c +++ b/sys/compat/linux/arch/amd64/linux_machdep.c @@ -227,6 +227,7 @@ linux_sendsig(const ksiginfo_t *ksi, const sigset_t *mask) if (fpsp != NULL) { size_t fp_size = sizeof fpregs; /* The netbsd and linux structures both match the fxsave data */ + memset(&fpregs, 0, sizeof(fpregs)); (void)process_read_fpregs(l, &fpregs, &fp_size); error = copyout(&fpregs, fpsp, sizeof(*fpsp)); } diff --git a/sys/compat/linux/arch/arm/linux_machdep.c b/sys/compat/linux/arch/arm/linux_machdep.c index 6fca38b74dfa..e6741261dc0a 100644 --- a/sys/compat/linux/arch/arm/linux_machdep.c +++ b/sys/compat/linux/arch/arm/linux_machdep.c @@ -107,6 +107,8 @@ linux_sendsig(const ksiginfo_t *ksi, const sigset_t *mask) /* Build stack frame for signal trampoline. */ + memset(&frame, 0, sizeof(frame)); + /* Save register context. */ frame.sf_sc.sc_r0 = tf->tf_r0; frame.sf_sc.sc_r1 = tf->tf_r1; diff --git a/sys/compat/linux/arch/arm/linux_ptrace.c b/sys/compat/linux/arch/arm/linux_ptrace.c index a8e14eab33b8..159b7ff12e28 100644 --- a/sys/compat/linux/arch/arm/linux_ptrace.c +++ b/sys/compat/linux/arch/arm/linux_ptrace.c @@ -180,6 +180,7 @@ linux_sys_ptrace_arch(struct lwp *l, const struct linux_sys_ptrace_args *uap, if (error) { break; } + memset(linux_regs, 0, sizeof(*linux_regs)); memcpy(linux_regs->uregs, regs->r, 13 * sizeof(register_t)); linux_regs->uregs[LINUX_REG_SP] = regs->r_sp; linux_regs->uregs[LINUX_REG_LR] = regs->r_lr; diff --git a/sys/compat/linux/arch/i386/linux_machdep.c b/sys/compat/linux/arch/i386/linux_machdep.c index 0a6b4272e0b2..b77a1ff985fd 100644 --- a/sys/compat/linux/arch/i386/linux_machdep.c +++ b/sys/compat/linux/arch/i386/linux_machdep.c @@ -252,6 +252,8 @@ linux_rt_sendsig(const ksiginfo_t *ksi, const sigset_t *mask) onstack, fp, sig, tf->tf_eip, ((struct pcb *)lwp_getpcb(l))->pcb_cr2)); + memset(&frame, 0, sizeof(frame)); + /* Build stack frame for signal trampoline. */ frame.sf_handler = catcher; frame.sf_sig = native_to_linux_signo[sig]; @@ -329,6 +331,8 @@ linux_old_sendsig(const ksiginfo_t *ksi, const sigset_t *mask) onstack, fp, sig, tf->tf_eip, ((struct pcb *)lwp_getpcb(l))->pcb_cr2)); + memset(&frame, 0, sizeof(frame)); + /* Build stack frame for signal trampoline. */ frame.sf_handler = catcher; frame.sf_sig = native_to_linux_signo[sig]; @@ -837,6 +841,7 @@ linux_machdepioctl(struct lwp *l, const struct linux_sys_ioctl_args *uap, regist com = VT_OPENQRY; break; case LINUX_VT_GETMODE: + memset(&lvt, 0, sizeof(lvt)); error = fp->f_ops->fo_ioctl(fp, VT_GETMODE, &lvt); if (error != 0) goto out; @@ -932,6 +937,7 @@ linux_machdepioctl(struct lwp *l, const struct linux_sys_ioctl_args *uap, regist sectors = label.d_nsectors; } if (com == LINUX_HDIO_GETGEO) { + memset(&hdg, 0, sizeof(hdg)); hdg.start = start; hdg.heads = heads; hdg.cylinders = cylinders; @@ -939,6 +945,7 @@ linux_machdepioctl(struct lwp *l, const struct linux_sys_ioctl_args *uap, regist error = copyout(&hdg, SCARG(uap, data), sizeof hdg); goto out; } else { + memset(&hdg_big, 0, sizeof(hdg_big)); hdg_big.start = start; hdg_big.heads = heads; hdg_big.cylinders = cylinders; diff --git a/sys/compat/linux/arch/i386/linux_ptrace.c b/sys/compat/linux/arch/i386/linux_ptrace.c index 5f41bce017c7..a2d65c6ac606 100644 --- a/sys/compat/linux/arch/i386/linux_ptrace.c +++ b/sys/compat/linux/arch/i386/linux_ptrace.c @@ -223,6 +223,7 @@ linux_sys_ptrace_arch(struct lwp *l, const struct linux_sys_ptrace_args *uap, if (error) { break; } + memset(linux_regs, 0, sizeof(*linux_regs)); linux_regs->ebx = regs->r_ebx; linux_regs->ecx = regs->r_ecx; linux_regs->edx = regs->r_edx; diff --git a/sys/compat/linux/arch/m68k/linux_machdep.c b/sys/compat/linux/arch/m68k/linux_machdep.c index 115f9f2e7c1d..0380bbdfbf6d 100644 --- a/sys/compat/linux/arch/m68k/linux_machdep.c +++ b/sys/compat/linux/arch/m68k/linux_machdep.c @@ -118,6 +118,8 @@ setup_linux_sigframe(struct frame *frame, int sig, const sigset_t *mask, void *u p->p_pid, sig, &ft, fp, &fp->sf_c.c_sc, ft); #endif + memset(&kf, 0, sizeof(kf)); + /* Build stack frame. */ kf.sf_psigtramp = fp->sf_sigtramp; /* return addr for handler */ kf.sf_signum = native_to_linux_signo[sig]; @@ -280,6 +282,8 @@ setup_linux_rt_sigframe(struct frame *frame, int sig, const sigset_t *mask, void p->p_pid, sig, &ft, fp, &fp->sf_uc, ft); #endif + memset(&kf, 0, sizeof(kf)); + /* Build stack frame. */ kf.sf_psigtramp = fp->sf_sigtramp; /* return addr for handler */ kf.sf_signum = native_to_linux_signo[sig]; diff --git a/sys/compat/linux/arch/mips/linux_machdep.c b/sys/compat/linux/arch/mips/linux_machdep.c index 872d509c734d..b7ca90435df7 100644 --- a/sys/compat/linux/arch/mips/linux_machdep.c +++ b/sys/compat/linux/arch/mips/linux_machdep.c @@ -401,6 +401,7 @@ linux_sys_new_uname(struct lwp *l, const struct linux_sys_new_uname_args *uap, r } */ *uap = v; struct linux_utsname luts; + memset(&luts, 0, sizeof(luts)); strlcpy(luts.l_sysname, linux_sysname, sizeof(luts.l_sysname)); strlcpy(luts.l_nodename, hostname, sizeof(luts.l_nodename)); strlcpy(luts.l_release, "2.4.0", sizeof(luts.l_release)); diff --git a/sys/compat/linux/arch/powerpc/linux_exec_powerpc.c b/sys/compat/linux/arch/powerpc/linux_exec_powerpc.c index 4509ccc2edaa..c9fbf406a258 100644 --- a/sys/compat/linux/arch/powerpc/linux_exec_powerpc.c +++ b/sys/compat/linux/arch/powerpc/linux_exec_powerpc.c @@ -93,7 +93,7 @@ ELFNAME2(linux,copyargs)(struct lwp *l, struct exec_package *pack, & ~LINUX_SHIFT); #endif - memset(ai, 0, sizeof(AuxInfo) * LINUX_ELF_AUX_ENTRIES); + memset(ai, 0, sizeof(ai)); a = ai; diff --git a/sys/compat/linux/arch/powerpc/linux_machdep.c b/sys/compat/linux/arch/powerpc/linux_machdep.c index da282bbb84af..1530cc5d8bc6 100644 --- a/sys/compat/linux/arch/powerpc/linux_machdep.c +++ b/sys/compat/linux/arch/powerpc/linux_machdep.c @@ -162,6 +162,7 @@ linux_sendsig(const ksiginfo_t *ksi, const sigset_t *mask) * * Save register context. */ + memset(&linux_regs, 0, sizeof(linux_regs)); for (i = 0; i < 32; i++) linux_regs.lgpr[i] = tf->tf_fixreg[i]; linux_regs.lnip = tf->tf_srr0; diff --git a/sys/compat/linux/arch/powerpc/linux_ptrace.c b/sys/compat/linux/arch/powerpc/linux_ptrace.c index ca59816a8de7..9ff2d3c00edc 100644 --- a/sys/compat/linux/arch/powerpc/linux_ptrace.c +++ b/sys/compat/linux/arch/powerpc/linux_ptrace.c @@ -200,6 +200,7 @@ linux_sys_ptrace_arch(struct lwp *l, const struct linux_sys_ptrace_args *uap, if (error) { break; } + memset(&linux_regs, 0, sizeof(linux_regs)); for (i = 0; i <= 31; i++) { linux_regs->lgpr[i] = regs->fixreg[i]; } @@ -309,7 +310,7 @@ linux_sys_ptrace_arch(struct lwp *l, const struct linux_sys_ptrace_args *uap, break; } error = copyout (retval, (void *)SCARG(uap, data), - sizeof(retval)); + sizeof(*retval)); *retval = SCARG(uap, data); break; diff --git a/sys/compat/linux/common/linux_cdrom.c b/sys/compat/linux/common/linux_cdrom.c index 07d84540c02d..44558bd10fb9 100644 --- a/sys/compat/linux/common/linux_cdrom.c +++ b/sys/compat/linux/common/linux_cdrom.c @@ -186,6 +186,7 @@ linux_ioctl_cdrom(struct lwp *l, const struct linux_sys_ioctl_args *uap, registe if (error) break; + memset(&l_tochdr, 0, sizeof(l_tochdr)); l_tochdr.cdth_trk0 = t_header.starting_track; l_tochdr.cdth_trk1 = t_header.ending_track; @@ -238,6 +239,7 @@ linux_ioctl_cdrom(struct lwp *l, const struct linux_sys_ioctl_args *uap, registe if (error) break; + memset(&l_volctrl, 0, sizeof(l_volctrl)); l_volctrl.channel0 = t_vol.vol[0]; l_volctrl.channel1 = t_vol.vol[1]; l_volctrl.channel2 = t_vol.vol[2]; diff --git a/sys/compat/linux/common/linux_fdio.c b/sys/compat/linux/common/linux_fdio.c index bf9b5be05900..77fbc5572c04 100644 --- a/sys/compat/linux/common/linux_fdio.c +++ b/sys/compat/linux/common/linux_fdio.c @@ -107,6 +107,7 @@ linux_ioctl_fdio(struct lwp *l, const struct linux_sys_ioctl_args *uap, error = ioctlf(fp, FDIOCGETFORMAT, &fparams); if (error != 0) break; + memset(&lflop, 0, sizeof(lflop)); lflop.size = fparams.ncyl * fparams.nspt * fparams.ntrk; lflop.sect = fparams.nspt; lflop.head = fparams.ntrk; diff --git a/sys/compat/linux/common/linux_file.c b/sys/compat/linux/common/linux_file.c index e1ca8eff9683..10f1c6cc5c34 100644 --- a/sys/compat/linux/common/linux_file.c +++ b/sys/compat/linux/common/linux_file.c @@ -445,6 +445,7 @@ static void bsd_to_linux_stat(struct stat *bsp, struct linux_stat *lsp) { + memset(lsp, 0, sizeof(*lsp)); lsp->lst_dev = linux_fakedev(bsp->st_dev, 0); lsp->lst_ino = bsp->st_ino; lsp->lst_mode = (linux_mode_t)bsp->st_mode; diff --git a/sys/compat/linux/common/linux_hdio.c b/sys/compat/linux/common/linux_hdio.c index 79300d3ebd09..bfcd367c3994 100644 --- a/sys/compat/linux/common/linux_hdio.c +++ b/sys/compat/linux/common/linux_hdio.c @@ -113,6 +113,7 @@ linux_ioctl_hdio(struct lwp *l, const struct linux_sys_ioctl_args *uap, error = error1; break; } + memset(&hdg, 0, sizeof(hdg)); hdg.start = error1 != 0 ? pi.pi_offset : 0; hdg.heads = label.d_ntracks; hdg.cylinders = label.d_ncylinders; @@ -131,6 +132,7 @@ linux_ioctl_hdio(struct lwp *l, const struct linux_sys_ioctl_args *uap, error = error1; break; } + memset(&hdg_big, 0, sizeof(hdg_big)); hdg_big.start = error1 != 0 ? pi.pi_offset : 0; hdg_big.heads = label.d_ntracks; hdg_big.cylinders = label.d_ncylinders; diff --git a/sys/compat/linux/common/linux_misc.c b/sys/compat/linux/common/linux_misc.c index 4b94795bb21d..71c6daefdc1f 100644 --- a/sys/compat/linux/common/linux_misc.c +++ b/sys/compat/linux/common/linux_misc.c @@ -629,6 +629,8 @@ linux_sys_times(struct lwp *l, const struct linux_sys_times_args *uap, register_ struct linux_tms ltms; struct rusage ru; + memset(<ms, 0, sizeof(ltms)); + mutex_enter(p->p_lock); calcru(p, &ru.ru_utime, &ru.ru_stime, NULL, NULL); ltms.ltms_utime = CONVTCK(ru.ru_utime); @@ -1399,6 +1401,7 @@ linux_sys_getrlimit(struct lwp *l, const struct linux_sys_getrlimit_args *uap, r if (which < 0) return -which; + memset(&orl, 0, sizeof(orl)); bsd_to_linux_rlimit(&orl, &l->l_proc->p_rlimit[which]); return copyout(&orl, SCARG(uap, rlp), sizeof(orl)); diff --git a/sys/compat/linux/common/linux_mtio.c b/sys/compat/linux/common/linux_mtio.c index b92051d65f29..c2be9fbcadca 100644 --- a/sys/compat/linux/common/linux_mtio.c +++ b/sys/compat/linux/common/linux_mtio.c @@ -106,6 +106,7 @@ linux_ioctl_mtio(struct lwp *l, const struct linux_sys_ioctl_args *uap, error = ioctlf(fp, MTIOCTOP, &mt); break; case LINUX_MTIOCGET: + memset(&lmtget, 0, sizeof(lmtget)); lmtget.mt_type = LINUX_MT_ISUNKNOWN; lmtget.mt_resid = 0; lmtget.mt_dsreg = 0; diff --git a/sys/compat/linux/common/linux_oldolduname.c b/sys/compat/linux/common/linux_oldolduname.c index c48939d49e5c..fc206680a829 100644 --- a/sys/compat/linux/common/linux_oldolduname.c +++ b/sys/compat/linux/common/linux_oldolduname.c @@ -58,6 +58,8 @@ linux_sys_oldolduname(struct lwp *l, const struct linux_sys_oldolduname_args *ua } */ struct linux_oldoldutsname luts; + memset(&luts, 0, sizeof(luts)); + strlcpy(luts.l_sysname, linux_sysname, sizeof(luts.l_sysname)); strlcpy(luts.l_nodename, hostname, sizeof(luts.l_nodename)); strlcpy(luts.l_release, linux_release, sizeof(luts.l_release)); diff --git a/sys/compat/linux/common/linux_olduname.c b/sys/compat/linux/common/linux_olduname.c index 20f9cde0581d..7221ca1866e4 100644 --- a/sys/compat/linux/common/linux_olduname.c +++ b/sys/compat/linux/common/linux_olduname.c @@ -61,6 +61,8 @@ linux_sys_olduname(struct lwp *l, const struct linux_sys_olduname_args *uap, reg } */ struct linux_oldutsname luts; + memset(&luts, 0, sizeof(luts)); + strlcpy(luts.l_sysname, linux_sysname, sizeof(luts.l_sysname)); strlcpy(luts.l_nodename, hostname, sizeof(luts.l_nodename)); strlcpy(luts.l_release, linux_release, sizeof(luts.l_release)); diff --git a/sys/compat/linux/common/linux_sched.c b/sys/compat/linux/common/linux_sched.c index ea301c199715..aab1a8d4d0eb 100644 --- a/sys/compat/linux/common/linux_sched.c +++ b/sys/compat/linux/common/linux_sched.c @@ -346,6 +346,8 @@ sched_native2linux(int native_policy, struct sched_param *native_params, KASSERT(prio <= SCHED_PRI_MAX); KASSERT(linux_params != NULL); + memset(linux_params, 0, sizeof(*linux_params)); + DPRINTF(("%s: native: policy %d, priority %d\n", __func__, native_policy, prio)); diff --git a/sys/compat/linux/common/linux_signal.c b/sys/compat/linux/common/linux_signal.c index 92b44250ec0d..e4e70e736ae3 100644 --- a/sys/compat/linux/common/linux_signal.c +++ b/sys/compat/linux/common/linux_signal.c @@ -274,6 +274,8 @@ linux_to_native_sigflags(const unsigned long lsf) void linux_old_to_native_sigaction(struct sigaction *bsa, const struct linux_old_sigaction *lsa) { + + memset(bsa, 0, sizeof(*bsa)); bsa->sa_handler = lsa->linux_sa_handler; linux_old_to_native_sigset(&bsa->sa_mask, &lsa->linux_sa_mask); bsa->sa_flags = linux_to_native_sigflags(lsa->linux_sa_flags); @@ -282,6 +284,8 @@ linux_old_to_native_sigaction(struct sigaction *bsa, const struct linux_old_siga void native_to_linux_old_sigaction(struct linux_old_sigaction *lsa, const struct sigaction *bsa) { + + memset(lsa, 0, sizeof(*lsa)); lsa->linux_sa_handler = bsa->sa_handler; native_to_linux_old_sigset(&lsa->linux_sa_mask, &bsa->sa_mask); lsa->linux_sa_flags = native_to_linux_sigflags(bsa->sa_flags); @@ -294,6 +298,8 @@ native_to_linux_old_sigaction(struct linux_old_sigaction *lsa, const struct siga void linux_to_native_sigaction(struct sigaction *bsa, const struct linux_sigaction *lsa) { + + memset(bsa, 0, sizeof(*bsa)); bsa->sa_handler = lsa->linux_sa_handler; linux_to_native_sigset(&bsa->sa_mask, &lsa->linux_sa_mask); bsa->sa_flags = linux_to_native_sigflags(lsa->linux_sa_flags); @@ -302,6 +308,8 @@ linux_to_native_sigaction(struct sigaction *bsa, const struct linux_sigaction *l void native_to_linux_sigaction(struct linux_sigaction *lsa, const struct sigaction *bsa) { + + memset(lsa, 0, sizeof(*lsa)); lsa->linux_sa_handler = bsa->sa_handler; native_to_linux_sigset(&lsa->linux_sa_mask, &bsa->sa_mask); lsa->linux_sa_flags = native_to_linux_sigflags(bsa->sa_flags); diff --git a/sys/compat/linux/common/linux_socket.c b/sys/compat/linux/common/linux_socket.c index b6e3c637e47f..acc2f1d9ef49 100644 --- a/sys/compat/linux/common/linux_socket.c +++ b/sys/compat/linux/common/linux_socket.c @@ -440,6 +440,7 @@ linux_sys_sendto(struct lwp *l, const struct linux_sys_sendto_args *uap, registe static void linux_to_bsd_msghdr(const struct linux_msghdr *lmsg, struct msghdr *bmsg) { + memset(bmsg, 0, sizeof(*bmsg)); bmsg->msg_name = lmsg->msg_name; bmsg->msg_namelen = lmsg->msg_namelen; bmsg->msg_iov = lmsg->msg_iov; @@ -452,6 +453,7 @@ linux_to_bsd_msghdr(const struct linux_msghdr *lmsg, struct msghdr *bmsg) static void bsd_to_linux_msghdr(const struct msghdr *bmsg, struct linux_msghdr *lmsg) { + memset(lmsg, 0, sizeof(*lmsg)); lmsg->msg_name = bmsg->msg_name; lmsg->msg_namelen = bmsg->msg_namelen; lmsg->msg_iov = bmsg->msg_iov; @@ -699,6 +701,7 @@ linux_copyout_msg_control(struct lwp *l, struct msghdr *mp, struct mbuf *control * 1. different values for level/type on some archs * 2. different alignment of CMSG_DATA on some archs */ + memset(&linux_cmsg, 0, sizeof(linux_cmsg)); linux_cmsg.cmsg_len = cmsg->cmsg_len - LINUX_CMSG_ALIGN_DELTA; linux_cmsg.cmsg_level = cmsg->cmsg_level; linux_cmsg.cmsg_type = cmsg->cmsg_type; diff --git a/sys/compat/linux/common/linux_time.c b/sys/compat/linux/common/linux_time.c index 7d689ff76a9b..00b948c1a615 100644 --- a/sys/compat/linux/common/linux_time.c +++ b/sys/compat/linux/common/linux_time.c @@ -117,6 +117,7 @@ linux_sys_settimeofday(struct lwp *l, const struct linux_sys_settimeofday_args * void native_to_linux_timespec(struct linux_timespec *ltp, struct timespec *ntp) { + memset(ltp, 0, sizeof(*ltp)); ltp->tv_sec = ntp->tv_sec; ltp->tv_nsec = ntp->tv_nsec; } @@ -124,6 +125,7 @@ native_to_linux_timespec(struct linux_timespec *ltp, struct timespec *ntp) void linux_to_native_timespec(struct timespec *ntp, struct linux_timespec *ltp) { + memset(ntp, 0, sizeof(*ntp)); ntp->tv_sec = ltp->tv_sec; ntp->tv_nsec = ltp->tv_nsec; } diff --git a/sys/compat/linux32/arch/amd64/linux32_machdep.c b/sys/compat/linux32/arch/amd64/linux32_machdep.c index 70a9ac2e3fb7..85a7ed072f89 100644 --- a/sys/compat/linux32/arch/amd64/linux32_machdep.c +++ b/sys/compat/linux32/arch/amd64/linux32_machdep.c @@ -126,6 +126,8 @@ linux32_old_sendsig(const ksiginfo_t *ksi, const sigset_t *mask) DPRINTF(("old: onstack = %d, fp = %p sig = %d rip = 0x%lx\n", onstack, fp, sig, tf->tf_rip)); + memset(&frame, 0, sizeof(frame)); + /* Build stack frame for signal trampoline. */ NETBSD32PTR32(frame.sf_handler, catcher); frame.sf_sig = native_to_linux32_signo[sig]; diff --git a/sys/compat/linux32/common/linux32_exec_elf32.c b/sys/compat/linux32/common/linux32_exec_elf32.c index 19ed2980f41e..b60b2a2ae94f 100644 --- a/sys/compat/linux32/common/linux32_exec_elf32.c +++ b/sys/compat/linux32/common/linux32_exec_elf32.c @@ -227,6 +227,8 @@ linux32_elf32_copyargs(struct lwp *l, struct exec_package *pack, *stackp += len; #if 0 + memset(&esd, 0, sizeof(esd)); + memcpy(esd.kernel_vsyscall, linux32_kernel_vsyscall, sizeof(linux32_kernel_vsyscall)); diff --git a/sys/compat/linux32/common/linux32_resource.c b/sys/compat/linux32/common/linux32_resource.c index 54970167ec75..53e559881269 100644 --- a/sys/compat/linux32/common/linux32_resource.c +++ b/sys/compat/linux32/common/linux32_resource.c @@ -87,6 +87,7 @@ linux32_sys_getrlimit(struct lwp *l, const struct linux32_sys_getrlimit_args *ua if (which < 0) return -which; + memset(&orl, 0, sizeof(orl)); bsd_to_linux_rlimit(&orl, &l->l_proc->p_rlimit[which]); return copyout(&orl, SCARG_P32(uap, rlp), sizeof(orl)); diff --git a/sys/compat/linux32/common/linux32_signal.c b/sys/compat/linux32/common/linux32_signal.c index 8c6624e42c1b..d2af8fa4cc0b 100644 --- a/sys/compat/linux32/common/linux32_signal.c +++ b/sys/compat/linux32/common/linux32_signal.c @@ -215,6 +215,7 @@ linux32_to_native_sigflags(const unsigned long lsf) void linux32_to_native_sigaction(struct sigaction *bsa, const struct linux32_sigaction *lsa) { + memset(bsa, 0, sizeof(*bsa)); bsa->sa_handler = NETBSD32PTR64(lsa->linux_sa_handler); linux32_to_native_sigset(&bsa->sa_mask, &lsa->linux_sa_mask); bsa->sa_flags = linux32_to_native_sigflags(lsa->linux_sa_flags); @@ -223,6 +224,7 @@ linux32_to_native_sigaction(struct sigaction *bsa, const struct linux32_sigactio void native_to_linux32_sigaction(struct linux32_sigaction *lsa, const struct sigaction *bsa) { + memset(lsa, 0, sizeof(*lsa)); NETBSD32PTR32(lsa->linux_sa_handler, bsa->sa_handler); native_to_linux32_sigset(&lsa->linux_sa_mask, &bsa->sa_mask); lsa->linux_sa_flags = native_to_linux32_sigflags(bsa->sa_flags); diff --git a/sys/compat/linux32/common/linux32_time.c b/sys/compat/linux32/common/linux32_time.c index a6b9173e950c..2d62f24b692f 100644 --- a/sys/compat/linux32/common/linux32_time.c +++ b/sys/compat/linux32/common/linux32_time.c @@ -166,6 +166,8 @@ linux32_sys_times(struct lwp *l, const struct linux32_sys_times_args *uap, regis struct linux32_tms ltms32; struct rusage ru; + memset(<ms32, 0, sizeof(ltms32)); + mutex_enter(p->p_lock); calcru(p, &ru.ru_utime, &ru.ru_stime, NULL, NULL); ltms32.ltms32_utime = CONVTCK(ru.ru_utime); @@ -237,6 +239,8 @@ linux32_sys_utime(struct lwp *l, const struct linux32_sys_utime_args *uap, regis void native_to_linux32_timespec(struct linux32_timespec *ltp, struct timespec *ntp) { + + memset(ltp, 0, sizeof(*ltp)); ltp->tv_sec = ntp->tv_sec; ltp->tv_nsec = ntp->tv_nsec; } @@ -244,6 +248,8 @@ native_to_linux32_timespec(struct linux32_timespec *ltp, struct timespec *ntp) void linux32_to_native_timespec(struct timespec *ntp, struct linux32_timespec *ltp) { + + memset(ntp, 0, sizeof(*ntp)); ntp->tv_sec = ltp->tv_sec; ntp->tv_nsec = ltp->tv_nsec; } diff --git a/sys/compat/netbsd32/netbsd32_compat_12.c b/sys/compat/netbsd32/netbsd32_compat_12.c index 38a5185a8f49..d73c0b89cc33 100644 --- a/sys/compat/netbsd32/netbsd32_compat_12.c +++ b/sys/compat/netbsd32/netbsd32_compat_12.c @@ -62,6 +62,7 @@ static void netbsd32_stat12_to_netbsd32(struct stat12 *sp12, struct netbsd32_stat12 *sp32) { + memset(sp32, 0, sizeof(*sp32)); sp32->st_dev = sp12->st_dev; sp32->st_ino = sp12->st_ino; sp32->st_mode = sp12->st_mode; diff --git a/sys/compat/netbsd32/netbsd32_compat_20.c b/sys/compat/netbsd32/netbsd32_compat_20.c index fd93d5b6d22c..9d5feed6a545 100644 --- a/sys/compat/netbsd32/netbsd32_compat_20.c +++ b/sys/compat/netbsd32/netbsd32_compat_20.c @@ -57,6 +57,8 @@ static inline void compat_20_netbsd32_from_statvfs(struct statvfs *, static inline void compat_20_netbsd32_from_statvfs(struct statvfs *sbp, struct netbsd32_statfs *sb32p) { + + memset(sb32p, 0, sizeof(*sb32p)); sb32p->f_type = 0; /* XXX Put an actual value? */ sb32p->f_flags = sbp->f_flag; sb32p->f_bsize = (netbsd32_long)sbp->f_bsize; diff --git a/sys/compat/netbsd32/netbsd32_compat_43.c b/sys/compat/netbsd32/netbsd32_compat_43.c index b646d25f943a..43c0b08a2363 100644 --- a/sys/compat/netbsd32/netbsd32_compat_43.c +++ b/sys/compat/netbsd32/netbsd32_compat_43.c @@ -646,6 +646,7 @@ compat_43_netbsd32_osigvec(struct lwp *l, const struct compat_43_netbsd32_osigve return error; if (SCARG_P32(uap, osv)) { + memset(&sv32, 0, sizeof(sv32)); NETBSD32PTR32(sv32.sv_handler, osa.sa_handler); sv32.sv_mask = osa.sa_mask.__bits[0]; sv32.sv_flags = osa.sa_flags ^ SA_RESTART; @@ -704,6 +705,7 @@ compat_43_netbsd32_osigstack(struct lwp *l, const struct compat_43_netbsd32_osig return error; if (SCARG_P32(uap, oss)) { + memset(&ss32, 0, sizeof(ss32)); NETBSD32PTR32(ss32.ss_sp, osa.ss_sp); ss32.ss_onstack = (osa.ss_flags & SS_ONSTACK) != 0; error = copyout(&ss32, SCARG_P32(uap, oss), sizeof(ss32)); diff --git a/sys/compat/netbsd32/netbsd32_compat_50.c b/sys/compat/netbsd32/netbsd32_compat_50.c index 75a165a8dd07..81aaf3612c1b 100644 --- a/sys/compat/netbsd32/netbsd32_compat_50.c +++ b/sys/compat/netbsd32/netbsd32_compat_50.c @@ -170,6 +170,7 @@ compat_50_netbsd32_gettimeofday(struct lwp *l, * NetBSD has no kernel notion of time zone, so we just * fake up a timezone struct and return it if demanded. */ + memset(&tzfake, 0, sizeof(tzfake)); tzfake.tz_minuteswest = 0; tzfake.tz_dsttime = 0; error = copyout(&tzfake, SCARG_P32(uap, tzp), sizeof(tzfake)); @@ -255,6 +256,8 @@ compat_50_netbsd32_adjtime(struct lwp *l, return error; if (SCARG_P32(uap, olddelta)) { + memset(&atv, 0, sizeof(atv)); + mutex_spin_enter(&timecounter_lock); atv.tv_sec = time_adjtime / 1000000; atv.tv_usec = time_adjtime % 1000000; @@ -401,6 +404,7 @@ compat_50_netbsd32_timer_settime(struct lwp *l, return error; if (ovp) { + memset(&its32, 0, sizeof(its32)); netbsd32_from_timespec50(&ovp->it_interval, &its32.it_interval); netbsd32_from_timespec50(&ovp->it_value, &its32.it_value); return copyout(&its32, SCARG_P32(uap, ovalue), sizeof(its32)); @@ -423,6 +427,8 @@ compat_50_netbsd32_timer_gettime(struct lwp *l, const struct compat_50_netbsd32_ &its)) != 0) return error; + memset(&its32, 0, sizeof(its32)); + netbsd32_from_timespec50(&its.it_interval, &its32.it_interval); netbsd32_from_timespec50(&its.it_value, &its32.it_value); diff --git a/sys/compat/netbsd32/netbsd32_conv.h b/sys/compat/netbsd32/netbsd32_conv.h index 3e1b93ca5a6e..a267d6816bdf 100644 --- a/sys/compat/netbsd32/netbsd32_conv.h +++ b/sys/compat/netbsd32/netbsd32_conv.h @@ -58,6 +58,7 @@ netbsd32_from_timeval50(const struct timeval *tv, struct netbsd32_timeval50 *tv32) { + memset(tv32, 0, sizeof(*tv32)); tv32->tv_sec = (netbsd32_time50_t)tv->tv_sec; tv32->tv_usec = (netbsd32_long)tv->tv_usec; } @@ -67,6 +68,7 @@ netbsd32_from_timeval(const struct timeval *tv, struct netbsd32_timeval *tv32) { + memset(tv32, 0, sizeof(*tv32)); tv32->tv_sec = (netbsd32_time_t)tv->tv_sec; tv32->tv_usec = tv->tv_usec; } @@ -76,6 +78,7 @@ netbsd32_to_timeval50(const struct netbsd32_timeval50 *tv32, struct timeval *tv) { + memset(tv, 0, sizeof(*tv)); tv->tv_sec = (time_t)tv32->tv_sec; tv->tv_usec = tv32->tv_usec; } @@ -85,6 +88,7 @@ netbsd32_to_timeval(const struct netbsd32_timeval *tv32, struct timeval *tv) { + memset(tv, 0, sizeof(*tv)); tv->tv_sec = (time_t)tv32->tv_sec; tv->tv_usec = tv32->tv_usec; } @@ -94,6 +98,7 @@ netbsd32_from_itimerval50(const struct itimerval *itv, struct netbsd32_itimerval50 *itv32) { + memset(itv32, 0, sizeof(*itv32)); netbsd32_from_timeval50(&itv->it_interval, &itv32->it_interval); netbsd32_from_timeval50(&itv->it_value, @@ -105,6 +110,7 @@ netbsd32_from_itimerval(const struct itimerval *itv, struct netbsd32_itimerval *itv32) { + memset(itv32, 0, sizeof(*itv32)); netbsd32_from_timeval(&itv->it_interval, &itv32->it_interval); netbsd32_from_timeval(&itv->it_value, @@ -116,6 +122,7 @@ netbsd32_to_itimerval50(const struct netbsd32_itimerval50 *itv32, struct itimerval *itv) { + memset(itv, 0, sizeof(*itv)); netbsd32_to_timeval50(&itv32->it_interval, &itv->it_interval); netbsd32_to_timeval50(&itv32->it_value, &itv->it_value); } @@ -125,6 +132,7 @@ netbsd32_to_itimerval(const struct netbsd32_itimerval *itv32, struct itimerval *itv) { + memset(itv, 0, sizeof(*itv)); netbsd32_to_timeval(&itv32->it_interval, &itv->it_interval); netbsd32_to_timeval(&itv32->it_value, &itv->it_value); } @@ -134,6 +142,7 @@ netbsd32_to_timespec50(const struct netbsd32_timespec50 *s32p, struct timespec *p) { + memset(p, 0, sizeof(*p)); p->tv_sec = (time_t)s32p->tv_sec; p->tv_nsec = (long)s32p->tv_nsec; } @@ -143,6 +152,7 @@ netbsd32_to_timespec(const struct netbsd32_timespec *s32p, struct timespec *p) { + memset(p, 0, sizeof(*p)); p->tv_sec = (time_t)s32p->tv_sec; p->tv_nsec = (long)s32p->tv_nsec; } @@ -152,6 +162,7 @@ netbsd32_from_timespec50(const struct timespec *p, struct netbsd32_timespec50 *s32p) { + memset(s32p, 0, sizeof(*s32p)); s32p->tv_sec = (netbsd32_time50_t)p->tv_sec; s32p->tv_nsec = (netbsd32_long)p->tv_nsec; } @@ -161,6 +172,7 @@ netbsd32_from_timespec(const struct timespec *p, struct netbsd32_timespec *s32p) { + memset(s32p, 0, sizeof(*s32p)); s32p->tv_sec = (netbsd32_time_t)p->tv_sec; s32p->tv_nsec = (netbsd32_long)p->tv_nsec; } @@ -170,6 +182,7 @@ netbsd32_from_rusage(const struct rusage *rup, struct netbsd32_rusage *ru32p) { + memset(ru32p, 0, sizeof(*ru32p)); netbsd32_from_timeval(&rup->ru_utime, &ru32p->ru_utime); netbsd32_from_timeval(&rup->ru_stime, &ru32p->ru_stime); #define C(var) ru32p->var = (netbsd32_long)rup->var @@ -195,6 +208,7 @@ netbsd32_to_rusage(const struct netbsd32_rusage *ru32p, struct rusage *rup) { + memset(rup, 0, sizeof(*rup)); netbsd32_to_timeval(&ru32p->ru_utime, &rup->ru_utime); netbsd32_to_timeval(&ru32p->ru_stime, &rup->ru_stime); #define C(var) rup->var = (long)ru32p->var @@ -220,6 +234,7 @@ netbsd32_from_rusage50(const struct rusage *rup, struct netbsd32_rusage50 *ru32p) { + memset(ru32p, 0, sizeof(*ru32p)); netbsd32_from_timeval50(&rup->ru_utime, &ru32p->ru_utime); netbsd32_from_timeval50(&rup->ru_stime, &ru32p->ru_stime); #define C(var) ru32p->var = (netbsd32_long)rup->var @@ -254,6 +269,7 @@ netbsd32_to_iovecin(const struct netbsd32_iovec *iov32p, struct iovec *iovp, * each field separately. I'm doing the latter to reduce * the number of MALLOC()s. */ + memset(iovp, 0, sizeof(*iovp)); total_iov_len = 0; for (i = 0; i < len; i++, iovp++, iov32p++) { if ((error = copyin(&iov32p->iov_base, &iov_base, sizeof(iov_base)))) @@ -284,6 +300,7 @@ static __inline void netbsd32_to_msghdr(const struct netbsd32_msghdr *mhp32, struct msghdr *mhp) { + memset(mhp, 0, sizeof(*mhp)); mhp->msg_name = NETBSD32PTR64(mhp32->msg_name); mhp->msg_namelen = mhp32->msg_namelen; mhp->msg_iovlen = (size_t)mhp32->msg_iovlen; @@ -297,6 +314,7 @@ static __inline void netbsd32_from_msghdr(struct netbsd32_msghdr *mhp32, const struct msghdr *mhp) { + memset(mhp32, 0, sizeof(*mhp32)); NETBSD32PTR32(mhp32->msg_name, mhp->msg_name); mhp32->msg_namelen = mhp->msg_namelen; mhp32->msg_iovlen = mhp->msg_iovlen; @@ -309,21 +327,27 @@ static __inline void netbsd32_to_mmsghdr(const struct netbsd32_mmsghdr *mmsg32, struct mmsghdr *mmsg) { - netbsd32_to_msghdr(&mmsg32->msg_hdr, &mmsg->msg_hdr); - mmsg->msg_len = mmsg32->msg_len; + + memset(mmsg, 0, sizeof(*mmsg)); + netbsd32_to_msghdr(&mmsg32->msg_hdr, &mmsg->msg_hdr); + mmsg->msg_len = mmsg32->msg_len; } static __inline void netbsd32_from_mmsghdr(struct netbsd32_mmsghdr *mmsg32, const struct mmsghdr *mmsg) { - netbsd32_from_msghdr(&mmsg32->msg_hdr, &mmsg->msg_hdr); - mmsg32->msg_len = mmsg->msg_len; + + memset(mmsg32, 0, sizeof(*mmsg32)); + netbsd32_from_msghdr(&mmsg32->msg_hdr, &mmsg->msg_hdr); + mmsg32->msg_len = mmsg->msg_len; } static __inline void netbsd32_from_statvfs90(const struct statvfs *sbp, struct netbsd32_statvfs90 *sb32p) { + + memset(sb32p, 0, sizeof(*sb32p)); sb32p->f_flag = sbp->f_flag; sb32p->f_bsize = (netbsd32_u_long)sbp->f_bsize; sb32p->f_frsize = (netbsd32_u_long)sbp->f_frsize; @@ -364,6 +388,8 @@ netbsd32_from_statvfs90(const struct statvfs *sbp, struct netbsd32_statvfs90 *sb static __inline void netbsd32_from_statvfs(const struct statvfs *sbp, struct netbsd32_statvfs *sb32p) { + + memset(sb32p, 0, sizeof(*sb32p)); sb32p->f_flag = sbp->f_flag; sb32p->f_bsize = (netbsd32_u_long)sbp->f_bsize; sb32p->f_frsize = (netbsd32_u_long)sbp->f_frsize; @@ -406,6 +432,7 @@ static __inline void netbsd32_from_timex(const struct timex *txp, struct netbsd32_timex *tx32p) { + memset(tx32p, 0, sizeof(*tx32p)); tx32p->modes = txp->modes; tx32p->offset = (netbsd32_long)txp->offset; tx32p->freq = (netbsd32_long)txp->freq; @@ -429,6 +456,7 @@ static __inline void netbsd32_to_timex(const struct netbsd32_timex *tx32p, struct timex *txp) { + memset(txp, 0, sizeof(*txp)); txp->modes = tx32p->modes; txp->offset = (long)tx32p->offset; txp->freq = (long)tx32p->freq; @@ -451,6 +479,7 @@ netbsd32_to_timex(const struct netbsd32_timex *tx32p, struct timex *txp) static __inline void netbsd32_from___stat13(const struct stat *sbp, struct netbsd32_stat13 *sb32p) { + memset(sb32p, 0, sizeof *sb32p); sb32p->st_dev = (uint32_t)sbp->st_dev; sb32p->st_ino = sbp->st_ino; @@ -477,6 +506,7 @@ netbsd32_from___stat13(const struct stat *sbp, struct netbsd32_stat13 *sb32p) static __inline void netbsd32_from___stat50(const struct stat *sbp, struct netbsd32_stat50 *sb32p) { + memset(sb32p, 0, sizeof *sb32p); sb32p->st_dev = (uint32_t)sbp->st_dev; sb32p->st_ino = sbp->st_ino; @@ -503,6 +533,7 @@ netbsd32_from___stat50(const struct stat *sbp, struct netbsd32_stat50 *sb32p) static __inline void netbsd32_from_stat(const struct stat *sbp, struct netbsd32_stat *sb32p) { + memset(sb32p, 0, sizeof *sb32p); sb32p->st_dev = sbp->st_dev; sb32p->st_ino = sbp->st_ino; @@ -531,6 +562,7 @@ netbsd32_to_ipc_perm(const struct netbsd32_ipc_perm *ip32p, struct ipc_perm *ipp) { + memset(ipp, 0, sizeof(*ipp)); ipp->cuid = ip32p->cuid; ipp->cgid = ip32p->cgid; ipp->uid = ip32p->uid; @@ -559,6 +591,7 @@ static __inline void netbsd32_to_msg(const struct netbsd32_msg *m32p, struct msg *mp) { + memset(mp, 0, sizeof(*mp)); mp->msg_next = NETBSD32PTR64(m32p->msg_next); mp->msg_type = (long)m32p->msg_type; mp->msg_ts = m32p->msg_ts; @@ -581,6 +614,7 @@ netbsd32_to_msqid_ds50(const struct netbsd32_msqid_ds50 *ds32p, struct msqid_ds *dsp) { + memset(dsp, 0, sizeof(*dsp)); netbsd32_to_ipc_perm(&ds32p->msg_perm, &dsp->msg_perm); dsp->_msg_cbytes = (u_long)ds32p->_msg_cbytes; dsp->msg_qnum = (u_long)ds32p->msg_qnum; @@ -597,6 +631,7 @@ netbsd32_to_msqid_ds(const struct netbsd32_msqid_ds *ds32p, struct msqid_ds *dsp) { + memset(dsp, 0, sizeof(*dsp)); netbsd32_to_ipc_perm(&ds32p->msg_perm, &dsp->msg_perm); dsp->_msg_cbytes = (u_long)ds32p->_msg_cbytes; dsp->msg_qnum = (u_long)ds32p->msg_qnum; @@ -647,6 +682,7 @@ netbsd32_to_shmid_ds50(const struct netbsd32_shmid_ds50 *ds32p, struct shmid_ds *dsp) { + memset(dsp, 0, sizeof(*dsp)); netbsd32_to_ipc_perm(&ds32p->shm_perm, &dsp->shm_perm); dsp->shm_segsz = ds32p->shm_segsz; dsp->shm_lpid = ds32p->shm_lpid; @@ -662,6 +698,7 @@ netbsd32_to_shmid_ds(const struct netbsd32_shmid_ds *ds32p, struct shmid_ds *dsp) { + memset(dsp, 0, sizeof(*dsp)); netbsd32_to_ipc_perm(&ds32p->shm_perm, &dsp->shm_perm); dsp->shm_segsz = ds32p->shm_segsz; dsp->shm_lpid = ds32p->shm_lpid; @@ -709,6 +746,7 @@ netbsd32_to_semid_ds50(const struct netbsd32_semid_ds50 *s32dsp, struct semid_ds *dsp) { + memset(dsp, 0, sizeof(*dsp)); netbsd32_to_ipc_perm(&s32dsp->sem_perm, &dsp->sem_perm); dsp->sem_nsems = (time_t)s32dsp->sem_nsems; dsp->sem_otime = (time_t)s32dsp->sem_otime; @@ -720,6 +758,7 @@ netbsd32_to_semid_ds(const struct netbsd32_semid_ds *s32dsp, struct semid_ds *dsp) { + memset(dsp, 0, sizeof(*dsp)); netbsd32_to_ipc_perm(&s32dsp->sem_perm, &dsp->sem_perm); dsp->sem_nsems = s32dsp->sem_nsems; dsp->sem_otime = s32dsp->sem_otime; @@ -755,6 +794,7 @@ netbsd32_from_loadavg(struct netbsd32_loadavg *av32, const struct loadavg *av) { + memset(av32, 0, sizeof(*av32)); av32->ldavg[0] = av->ldavg[0]; av32->ldavg[1] = av->ldavg[1]; av32->ldavg[2] = av->ldavg[2]; @@ -764,6 +804,8 @@ netbsd32_from_loadavg(struct netbsd32_loadavg *av32, static __inline void netbsd32_to_kevent(struct netbsd32_kevent *ke32, struct kevent *ke) { + + memset(ke, 0, sizeof(*ke)); ke->ident = ke32->ident; ke->filter = ke32->filter; ke->flags = ke32->flags; @@ -775,6 +817,8 @@ netbsd32_to_kevent(struct netbsd32_kevent *ke32, struct kevent *ke) static __inline void netbsd32_from_kevent(struct kevent *ke, struct netbsd32_kevent *ke32) { + + memset(ke32, 0, sizeof(*ke32)); ke32->ident = ke->ident; ke32->filter = ke->filter; ke32->flags = ke->flags; @@ -786,6 +830,8 @@ netbsd32_from_kevent(struct kevent *ke, struct netbsd32_kevent *ke32) static __inline void netbsd32_to_sigevent(const struct netbsd32_sigevent *ev32, struct sigevent *ev) { + + memset(ev, 0, sizeof(*ev)); ev->sigev_notify = ev32->sigev_notify; ev->sigev_signo = ev32->sigev_signo; /* @@ -848,6 +894,7 @@ netbsd32_copyout_plistref(netbsd32_pointer_t n32p, struct plistref *p) { struct netbsd32_plistref n32plist; + memset(&n32plist, 0, sizeof(n32plist)); NETBSD32PTR32(n32plist.pref_plist, p->pref_plist); n32plist.pref_len = p->pref_len; return copyout(&n32plist, NETBSD32PTR64(n32p), @@ -875,6 +922,7 @@ netbsd32_copyout_nvlist_ref_t(netbsd32_pointer_t n32p, nvlist_ref_t *p) { netbsd32_nvlist_ref_t n32nv; + memset(&n32nv, 0, sizeof(n32nv)); NETBSD32PTR32(n32nv.buf, p->buf); n32nv.len = p->len; n32nv.flags = p->flags; @@ -886,6 +934,8 @@ static __inline void netbsd32_to_mq_attr(const struct netbsd32_mq_attr *a32, struct mq_attr *attr) { + + memset(attr, 0, sizeof(*attr)); attr->mq_flags = a32->mq_flags; attr->mq_maxmsg = a32->mq_maxmsg; attr->mq_msgsize = a32->mq_msgsize; @@ -896,6 +946,8 @@ static __inline void netbsd32_from_mq_attr(const struct mq_attr *attr, struct netbsd32_mq_attr *a32) { + + memset(a32, 0, sizeof(*a32)); a32->mq_flags = attr->mq_flags; a32->mq_maxmsg = attr->mq_maxmsg; a32->mq_msgsize = attr->mq_msgsize; diff --git a/sys/compat/netbsd32/netbsd32_nfssvc.c b/sys/compat/netbsd32/netbsd32_nfssvc.c index 91e01393e3e7..56475c14aba7 100644 --- a/sys/compat/netbsd32/netbsd32_nfssvc.c +++ b/sys/compat/netbsd32/netbsd32_nfssvc.c @@ -121,6 +121,7 @@ nfssvc32_nsd_out(void *argp, const struct nfsd_srvargs *nsd) { struct netbsd32_nfsd_srvargs args32; + memset(&args32, 0, sizeof(args32)); NETBSD32PTR32(args32.nsd_nfsd, nsd->nsd_nfsd); args32.nsd_uid = nsd->nsd_uid; args32.nsd_haddr = nsd->nsd_haddr; diff --git a/sys/compat/netbsd32/netbsd32_ptrace.c b/sys/compat/netbsd32/netbsd32_ptrace.c index a67119a21a11..e4fe0cb6575a 100644 --- a/sys/compat/netbsd32/netbsd32_ptrace.c +++ b/sys/compat/netbsd32/netbsd32_ptrace.c @@ -55,6 +55,7 @@ static void netbsd32_lwpstatus_to_lwpstatus32(struct netbsd32_ptrace_lwpstatus *pls32, const struct ptrace_lwpstatus *pls) { + memset(pls32, 0, sizeof(*pls32)); pls32->pl_lwpid = pls->pl_lwpid; pls32->pl_sigpend = pls->pl_sigpend; pls32->pl_sigmask = pls->pl_sigmask; @@ -103,6 +104,7 @@ netbsd32_copyout_piod(const struct ptrace_io_desc *piod, void *addr, size_t len) if (len != 0 && sizeof(piod32) != len) return EINVAL; + memset(&piod32, 0, sizeof(piod32)); piod32.piod_op = piod->piod_op; NETBSD32PTR32(piod32.piod_offs, piod->piod_offs); NETBSD32PTR32(piod32.piod_addr, piod->piod_addr); @@ -134,6 +136,7 @@ netbsd32_copyout_siginfo(const struct ptrace_siginfo *psi, void *addr, size_t le if (sizeof(psi32) != len) return EINVAL; + memset(&psi32, 0, sizeof(psi32)); psi32.psi_lwpid = psi->psi_lwpid; netbsd32_si_to_si32(&psi32.psi_siginfo, &psi->psi_siginfo); return copyout(&psi32, addr, sizeof(psi32)); diff --git a/sys/compat/netbsd32/netbsd32_signal.c b/sys/compat/netbsd32/netbsd32_signal.c index 5776be0a8255..2b1f3f14b483 100644 --- a/sys/compat/netbsd32/netbsd32_signal.c +++ b/sys/compat/netbsd32/netbsd32_signal.c @@ -86,6 +86,7 @@ netbsd32_sigaction(struct lwp *l, const struct netbsd32_sigaction_args *uap, reg return error; if (SCARG_P32(uap, osa)) { + memset(&sa32, 0, sizeof(sa32)); NETBSD32PTR32(sa32.netbsd32_sa_handler, osa.sa_handler); sa32.netbsd32_sa_mask = osa.sa_mask.__bits[0]; sa32.netbsd32_sa_flags = osa.sa_flags; @@ -135,6 +136,7 @@ netbsd32___sigaction14(struct lwp *l, const struct netbsd32___sigaction14_args * if (error) return error; if (SCARG_P32(uap, osa)) { + memset(&sa32, 0, sizeof(sa32)); NETBSD32PTR32(sa32.netbsd32_sa_handler, osa.sa_handler); sa32.netbsd32_sa_mask = osa.sa_mask; sa32.netbsd32_sa_flags = osa.sa_flags; @@ -175,6 +177,7 @@ netbsd32___sigaction_sigtramp(struct lwp *l, const struct netbsd32___sigaction_s if (error) return error; if (SCARG_P32(uap, osa)) { + memset(&sa32, 0, sizeof(sa32)); NETBSD32PTR32(sa32.netbsd32_sa_handler, osa.sa_handler); sa32.netbsd32_sa_mask = osa.sa_mask; sa32.netbsd32_sa_flags = osa.sa_flags; diff --git a/sys/compat/netbsd32/netbsd32_time.c b/sys/compat/netbsd32/netbsd32_time.c index 7fb4057c544c..2db6338fe66f 100644 --- a/sys/compat/netbsd32/netbsd32_time.c +++ b/sys/compat/netbsd32/netbsd32_time.c @@ -204,6 +204,7 @@ netbsd32___gettimeofday50(struct lwp *l, const struct netbsd32___gettimeofday50_ * NetBSD has no kernel notion of time zone, so we just * fake up a timezone struct and return it if demanded. */ + memset(&tzfake, 0, sizeof(tzfake)); tzfake.tz_minuteswest = 0; tzfake.tz_dsttime = 0; error = copyout(&tzfake, SCARG_P32(uap, tzp), sizeof(tzfake)); @@ -268,6 +269,7 @@ netbsd32___adjtime50(struct lwp *l, const struct netbsd32___adjtime50_args *uap, return error; if (SCARG_P32(uap, olddelta)) { + memset(&atv, 0, sizeof(atv)); atv.tv_sec = time_adjtime / 1000000; atv.tv_usec = time_adjtime % 1000000; if (atv.tv_usec < 0) { @@ -479,6 +481,7 @@ netbsd32___timer_settime50(struct lwp *l, const struct netbsd32___timer_settime5 return error; if (ovp) { + memset(&its32, 0, sizeof(its32)); netbsd32_from_timespec(&ovp->it_interval, &its32.it_interval); netbsd32_from_timespec(&ovp->it_value, &its32.it_value); return copyout(&its32, SCARG_P32(uap, ovalue), sizeof(its32)); @@ -501,6 +504,7 @@ netbsd32___timer_gettime50(struct lwp *l, const struct netbsd32___timer_gettime5 &its)) != 0) return error; + memset(&its32, 0, sizeof(its32)); netbsd32_from_timespec(&its.it_interval, &its32.it_interval); netbsd32_from_timespec(&its.it_value, &its32.it_value); diff --git a/sys/compat/netbsd32/netbsd32_wait.c b/sys/compat/netbsd32/netbsd32_wait.c index adf1fee0aec0..db732f0d0433 100644 --- a/sys/compat/netbsd32/netbsd32_wait.c +++ b/sys/compat/netbsd32/netbsd32_wait.c @@ -133,6 +133,7 @@ netbsd32_wait6(struct lwp *l, const struct netbsd32_wait6_args *uap, if (wrup != NULL && error == 0) { struct netbsd32_wrusage wru32; + memset(&wru32, 0, sizeof(wru32)); netbsd32_from_rusage(&wrup->wru_self, &wru32.wru_self); netbsd32_from_rusage(&wrup->wru_children, &wru32.wru_children); error = copyout(&wru32, SCARG_P32(uap, wru), sizeof(wru32)); diff --git a/sys/compat/ossaudio/ossaudio.c b/sys/compat/ossaudio/ossaudio.c index 202bda1dba37..a91e438b144d 100644 --- a/sys/compat/ossaudio/ossaudio.c +++ b/sys/compat/ossaudio/ossaudio.c @@ -664,6 +664,7 @@ oss_ioctl_audio(struct lwp *l, const struct oss_sys_ioctl_args *uap, register_t goto out; } setblocksize(fp, &tmpinfo); + memset(&bufinfo, 0, sizeof(bufinfo)); bufinfo.fragsize = tmpinfo.blocksize; bufinfo.fragments = tmpinfo.hiwat - (tmpinfo.play.seek + tmpinfo.blocksize - 1) / @@ -686,6 +687,7 @@ oss_ioctl_audio(struct lwp *l, const struct oss_sys_ioctl_args *uap, register_t goto out; } setblocksize(fp, &tmpinfo); + memset(&bufinfo, 0, sizeof(bufinfo)); bufinfo.fragsize = tmpinfo.blocksize; bufinfo.fragments = tmpinfo.record.seek / tmpinfo.blocksize; bufinfo.fragstotal = @@ -776,6 +778,7 @@ oss_ioctl_audio(struct lwp *l, const struct oss_sys_ioctl_args *uap, register_t __func__, error)); goto out; } + memset(&cntinfo, 0, sizeof(cntinfo)); cntinfo.bytes = tmpoffs.samples; cntinfo.blocks = tmpoffs.deltablks; cntinfo.ptr = tmpoffs.offset; @@ -793,6 +796,7 @@ oss_ioctl_audio(struct lwp *l, const struct oss_sys_ioctl_args *uap, register_t __func__, error)); goto out; } + memset(&cntinfo, 0, sizeof(cntinfo)); cntinfo.bytes = tmpoffs.samples; cntinfo.blocks = tmpoffs.deltablks; cntinfo.ptr = tmpoffs.offset; diff --git a/sys/compat/sunos/sunos_ioctl.c b/sys/compat/sunos/sunos_ioctl.c index 10f65b996427..079937973a67 100644 --- a/sys/compat/sunos/sunos_ioctl.c +++ b/sys/compat/sunos/sunos_ioctl.c @@ -127,6 +127,8 @@ stios2btios(struct sunos_termios *st, struct termios *bt) { u_long l, r; + memset(bt, 0, sizeof(*bt)); + l = st->c_iflag; r = ((l & 0x00000001) ? IGNBRK : 0); r |= ((l & 0x00000002) ? BRKINT : 0); @@ -248,6 +250,8 @@ btios2stios(struct termios *bt, struct sunos_termios *st) u_long l, r; int s; + memset(st, 0, sizeof(*st)); + l = bt->c_iflag; r = ((l & IGNBRK) ? 0x00000001 : 0); r |= ((l & BRKINT) ? 0x00000002 : 0); @@ -372,6 +376,8 @@ btios2stios(struct termios *bt, struct sunos_termios *st) static void stios2stio(struct sunos_termios *ts, struct sunos_termio *t) { + + memset(t, 0, sizeof(*t)); t->c_iflag = ts->c_iflag; t->c_oflag = ts->c_oflag; t->c_cflag = ts->c_cflag; @@ -383,6 +389,8 @@ stios2stio(struct sunos_termios *ts, struct sunos_termio *t) static void stio2stios(struct sunos_termio *t, struct sunos_termios *ts) { + + memset(ts, 0, sizeof(*ts)); ts->c_iflag = t->c_iflag; ts->c_oflag = t->c_oflag; ts->c_cflag = t->c_cflag; @@ -486,6 +494,7 @@ sunos_sys_ioctl(struct lwp *l, const struct sunos_sys_ioctl_args *uap, if ((error = (*ctl)(fp, TIOCGWINSZ, &ws)) != 0) break; + memset(&ss, 0, sizeof(ss)); ss.ts_row = ws.ws_row; ss.ts_col = ws.ws_col; @@ -727,6 +736,7 @@ sunos_sys_ioctl(struct lwp *l, const struct sunos_sys_ioctl_args *uap, if (error) break; + memset(&sunos_aui, 0, sizeof(sunos_aui)); sunos_aui.play = *(struct sunos_audio_prinfo *)&aui.play; sunos_aui.record = *(struct sunos_audio_prinfo *)&aui.record; @@ -937,6 +947,9 @@ static void sunos_to_bsd_flock(struct sunos_flock *, struct flock *); static void bsd_to_sunos_flock(struct flock *iflp, struct sunos_flock *oflp) { + + memset(oflp, 0, sizeof(*oflp)); + switch (iflp->l_type) { case F_RDLCK: oflp->l_type = SUNOS_F_RDLCK; @@ -963,6 +976,9 @@ bsd_to_sunos_flock(struct flock *iflp, struct sunos_flock *oflp) static void sunos_to_bsd_flock(struct sunos_flock *iflp, struct flock *oflp) { + + memset(oflp, 0, sizeof(*oflp)); + switch (iflp->l_type) { case SUNOS_F_RDLCK: oflp->l_type = F_RDLCK; diff --git a/sys/compat/sunos/sunos_misc.c b/sys/compat/sunos/sunos_misc.c index 9156b0eaf8bc..bf02736a0c47 100644 --- a/sys/compat/sunos/sunos_misc.c +++ b/sys/compat/sunos/sunos_misc.c @@ -309,6 +309,7 @@ void sunos_to_native_sigset(const int, sigset_t *); inline void native_to_sunos_sigset(const sigset_t *ss, int *mask) { + *mask = ss->__bits[0]; } @@ -316,6 +317,7 @@ inline void sunos_to_native_sigset(const int mask, sigset_t *ss) { + memset(ss, 0, sizeof(*ss)); ss->__bits[0] = mask; ss->__bits[1] = 0; ss->__bits[2] = 0; @@ -435,6 +437,7 @@ again: off += reclen; continue; } + memset(&idb, 0, sizeof(idb)); sunos_reclen = SUNOS_RECLEN(&idb, bdp->d_namlen); if (reclen > len || resid < sunos_reclen) { /* entry too big for buffer, so just stop */ diff --git a/sys/compat/sunos32/sunos32_ioctl.c b/sys/compat/sunos32/sunos32_ioctl.c index 5dfc46ccac80..598a05bae6e3 100644 --- a/sys/compat/sunos32/sunos32_ioctl.c +++ b/sys/compat/sunos32/sunos32_ioctl.c @@ -163,6 +163,8 @@ stios2btios(struct sunos_termios *st, struct termios *bt) { netbsd32_u_long l, r; + memset(bt, 0, sizeof(*bt)); + l = st->c_iflag; r = ((l & 0x00000001) ? IGNBRK : 0); r |= ((l & 0x00000002) ? BRKINT : 0); @@ -284,6 +286,8 @@ btios2stios(struct termios *bt, struct sunos_termios *st) netbsd32_u_long l, r; int s; + memset(st, 0, sizeof(*st)); + l = bt->c_iflag; r = ((l & IGNBRK) ? 0x00000001 : 0); r |= ((l & BRKINT) ? 0x00000002 : 0); @@ -408,6 +412,8 @@ btios2stios(struct termios *bt, struct sunos_termios *st) static void stios2stio(struct sunos_termios *ts, struct sunos_termio *t) { + + memset(t, 0, sizeof(*t)); t->c_iflag = ts->c_iflag; t->c_oflag = ts->c_oflag; t->c_cflag = ts->c_cflag; @@ -419,6 +425,8 @@ stios2stio(struct sunos_termios *ts, struct sunos_termio *t) static void stio2stios(struct sunos_termio *t, struct sunos_termios *ts) { + + memset(ts, 0, sizeof(*ts)); ts->c_iflag = t->c_iflag; ts->c_oflag = t->c_oflag; ts->c_cflag = t->c_cflag; @@ -534,6 +542,7 @@ sunos32_sys_ioctl(struct lwp *l, const struct sunos32_sys_ioctl_args *uap, if (error != 0) return error; + memset(&ss, 0, sizeof(ss)); ss.ts_row = ws.ws_row; ss.ts_col = ws.ws_col; @@ -766,6 +775,8 @@ sunos32_sys_ioctl(struct lwp *l, const struct sunos32_sys_ioctl_args *uap, if (error) return error; + memset(&sunos_aui, 0, sizeof(sunos_aui)); + sunos_aui.play = *(struct sunos_audio_prinfo *)&aui.play; sunos_aui.record = *(struct sunos_audio_prinfo *)&aui.record; @@ -962,6 +973,9 @@ static void sunos_to_bsd_flock(struct sunos_flock *, struct flock *); static void bsd_to_sunos_flock(struct flock *iflp, struct sunos_flock *oflp) { + + memset(oflp, 0, sizeof(*oflp)); + switch (iflp->l_type) { case F_RDLCK: oflp->l_type = SUNOS_F_RDLCK; @@ -988,6 +1002,9 @@ bsd_to_sunos_flock(struct flock *iflp, struct sunos_flock *oflp) static void sunos_to_bsd_flock(struct sunos_flock *iflp, struct flock *oflp) { + + memset(oflp, 0, sizeof(*oflp)); + switch (iflp->l_type) { case SUNOS_F_RDLCK: oflp->l_type = F_RDLCK; diff --git a/sys/compat/sunos32/sunos32_misc.c b/sys/compat/sunos32/sunos32_misc.c index 74d93c0faed8..ace2ba8c1c76 100644 --- a/sys/compat/sunos32/sunos32_misc.c +++ b/sys/compat/sunos32/sunos32_misc.c @@ -161,6 +161,7 @@ sunos32_sigvec_from_sigaction( { /*XXX*/ extern void compat_43_sigset_to_sigmask(const sigset_t *, int *); + memset(sv, 0, sizeof(*sv)); NETBSD32PTR32(sv->sv_handler, sa->sa_handler); compat_43_sigset_to_sigmask(&sa->sa_mask, &sv->sv_mask); sv->sv_flags = sa->sa_flags ^ SA_RESTART; @@ -487,6 +488,7 @@ void sunos_to_native_sigset(const int, sigset_t *); inline void native_to_sunos_sigset(const sigset_t *ss, int *mask) { + *mask = ss->__bits[0]; } @@ -494,6 +496,7 @@ inline void sunos_to_native_sigset(const int mask, sigset_t *ss) { + memset(ss, 0, sizeof(*ss)); ss->__bits[0] = mask; ss->__bits[1] = 0; ss->__bits[2] = 0; @@ -622,6 +625,7 @@ again: off += reclen; continue; } + memset(&idb, 0, sizeof(idb)); sunos_reclen = SUNOS32_RECLEN(&idb, bdp->d_namlen); if (reclen > len || resid < sunos_reclen) { /* entry too big for buffer, so just stop */ diff --git a/sys/compat/sys/statvfs.h b/sys/compat/sys/statvfs.h index cb6ad033362c..e5e9dd3c2321 100644 --- a/sys/compat/sys/statvfs.h +++ b/sys/compat/sys/statvfs.h @@ -77,6 +77,9 @@ __BEGIN_DECLS static __inline void statvfs_to_statvfs90(const struct statvfs *s, struct statvfs90 *s90) { + + memset(s90, 0, sizeof(*s90)); + s90->f_flag = s->f_flag; s90->f_bsize = s->f_bsize; s90->f_frsize = s->f_frsize; diff --git a/sys/compat/sys/time_types.h b/sys/compat/sys/time_types.h index 10898905f33d..07245e56e628 100644 --- a/sys/compat/sys/time_types.h +++ b/sys/compat/sys/time_types.h @@ -72,61 +72,68 @@ struct itimerspec50 { struct timespec50 it_value; }; -static __inline void timeval50_to_timeval(const struct timeval50 *ts50, - struct timeval *ts) +static __inline void +timeval50_to_timeval(const struct timeval50 *ts50, struct timeval *ts) { + memset(ts, 0, sizeof(*ts)); ts->tv_sec = ts50->tv_sec; ts->tv_usec = (suseconds_t)ts50->tv_usec; } -static __inline void timeval_to_timeval50(const struct timeval *ts, - struct timeval50 *ts50) +static __inline void +timeval_to_timeval50(const struct timeval *ts, struct timeval50 *ts50) { + memset(ts50, 0, sizeof(*ts50)); ts50->tv_sec = (long)ts->tv_sec; ts50->tv_usec = ts->tv_usec; } -static __inline void timespec50_to_timespec(const struct timespec50 *ts50, - struct timespec *ts) +static __inline void +timespec50_to_timespec(const struct timespec50 *ts50, struct timespec *ts) { + memset(ts, 0, sizeof(*ts)); ts->tv_sec = ts50->tv_sec; ts->tv_nsec = ts50->tv_nsec; } -static __inline void timespec_to_timespec50(const struct timespec *ts, - struct timespec50 *ts50) +static __inline void +timespec_to_timespec50(const struct timespec *ts, struct timespec50 *ts50) { -#if INT32_MAX < LONG_MAX /* scrub padding */ - memset(ts50, 0, offsetof(struct timespec50, tv_nsec)); -#endif + memset(ts50, 0, sizeof(*ts50)); ts50->tv_sec = (int32_t)ts->tv_sec; ts50->tv_nsec = ts->tv_nsec; } -static __inline void itimerval50_to_itimerval(const struct itimerval50 *ts50, - struct itimerval *ts) +static __inline void +itimerval50_to_itimerval(const struct itimerval50 *ts50, struct itimerval *ts) { + memset(ts, 0, sizeof(*ts)); timeval50_to_timeval(&ts50->it_interval, &ts->it_interval); timeval50_to_timeval(&ts50->it_value, &ts->it_value); } -static __inline void itimerval_to_itimerval50(const struct itimerval *ts, - struct itimerval50 *ts50) +static __inline void +itimerval_to_itimerval50(const struct itimerval *ts, struct itimerval50 *ts50) { + memset(ts50, 0, sizeof(*ts50)); timeval_to_timeval50(&ts->it_interval, &ts50->it_interval); timeval_to_timeval50(&ts->it_value, &ts50->it_value); } -static __inline void itimerspec50_to_itimerspec(const struct itimerspec50 *ts50, +static __inline void +itimerspec50_to_itimerspec(const struct itimerspec50 *ts50, struct itimerspec *ts) { + memset(ts, 0, sizeof(*ts)); timespec50_to_timespec(&ts50->it_interval, &ts->it_interval); timespec50_to_timespec(&ts50->it_value, &ts->it_value); } -static __inline void itimerspec_to_itimerspec50(const struct itimerspec *ts, +static __inline void +itimerspec_to_itimerspec50(const struct itimerspec *ts, struct itimerspec50 *ts50) { + memset(ts50, 0, sizeof(*ts50)); timespec_to_timespec50(&ts->it_interval, &ts50->it_interval); timespec_to_timespec50(&ts->it_value, &ts50->it_value); } diff --git a/sys/compat/ultrix/ultrix_ioctl.c b/sys/compat/ultrix/ultrix_ioctl.c index 95faa29a0e41..9b56fe79dd81 100644 --- a/sys/compat/ultrix/ultrix_ioctl.c +++ b/sys/compat/ultrix/ultrix_ioctl.c @@ -145,6 +145,8 @@ stios2btios(struct emul_termios *st, struct termios *bt) { uint32_t l, r; + memset(bt, 0, sizeof(*bt)); + l = st->c_iflag; r = ((l & 0x00000001) ? IGNBRK : 0); r |= ((l & 0x00000002) ? BRKINT : 0); @@ -276,6 +278,8 @@ btios2stios(struct termios *bt, struct emul_termios *st) uint32_t l, r; int speed; + memset(st, 0, sizeof(*st)); + l = bt->c_iflag; r = ((l & IGNBRK) ? 0x00000001 : 0); r |= ((l & BRKINT) ? 0x00000002 : 0); @@ -419,6 +423,8 @@ btios2stios(struct termios *bt, struct emul_termios *st) static void stios2stio(struct emul_termios *ts, struct emul_termio *t) { + + memset(t, 0, sizeof(*t)); t->c_iflag = ts->c_iflag; t->c_oflag = ts->c_oflag; t->c_cflag = ts->c_cflag; @@ -433,6 +439,8 @@ stios2stio(struct emul_termios *ts, struct emul_termio *t) static void stio2stios(struct emul_termio *t, struct emul_termios *ts) { + + memset(ts, 0, sizeof(*t)); ts->c_iflag = t->c_iflag; ts->c_oflag = t->c_oflag; ts->c_cflag = t->c_cflag; @@ -534,6 +542,7 @@ ultrix_sys_ioctl(struct lwp *l, const struct ultrix_sys_ioctl_args *uap, if (error != 0) return error; + memset(&ss, 0, sizeof(ss)); ss.ts_row = ws.ws_row; ss.ts_col = ws.ws_col; diff --git a/sys/compat/ultrix/ultrix_misc.c b/sys/compat/ultrix/ultrix_misc.c index 6ab449ed954a..659fd552b411 100644 --- a/sys/compat/ultrix/ultrix_misc.c +++ b/sys/compat/ultrix/ultrix_misc.c @@ -628,6 +628,7 @@ ultrix_sys_sigvec(struct lwp *l, const struct ultrix_sys_sigvec_args *uap, regis if (error) return error; if (SCARG(uap, osv)) { + memset(&osv, 0, sizeof(osv)); osv.sv_handler = osa.sa_handler; osv.sv_flags = osa.sa_flags ^ SA_RESTART; osv.sv_flags &= (ULTRIX_SV_ONSTACK | ULTRIX_SV_INTERRUPT); @@ -687,6 +688,8 @@ static int ultrix_to_bsd_flock(struct ultrix_flock *ufl, struct flock *fl) { + memset(fl, 0, sizeof(*fl)); + fl->l_start = ufl->l_start; fl->l_len = ufl->l_len; fl->l_pid = ufl->l_pid; @@ -713,6 +716,8 @@ static void bsd_to_ultrix_flock(struct flock *fl, struct ultrix_flock *ufl) { + memset(ufl, 0, sizeof(*ufl)); + ufl->l_start = fl->l_start; ufl->l_len = fl->l_len; ufl->l_pid = fl->l_pid; From dcc28a551593f27309b89dded30e3e3fdeee432c Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 10 Aug 2021 09:54:52 +0000 Subject: [PATCH 5/7] wd(4): Fix bugs in softbadsect handling. - Don't copyout kernel virtual addresses (of SLIST entries) that userland won't use anyway. => The structure still has space for this pointer; it's just always null when userland gets it now. - Don't copyout under a lock. - Stop and return error if copyout fails (unless we've already copied some out). - Don't kmem_free under a lock. --- sys/dev/ata/wd.c | 44 ++++++++++++++++++++++++++++++++++++++------ sys/dev/ata/wdvar.h | 16 +++++++++++++++- 2 files changed, 53 insertions(+), 7 deletions(-) diff --git a/sys/dev/ata/wd.c b/sys/dev/ata/wd.c index 3fb049919eab..1e8f1e74df81 100644 --- a/sys/dev/ata/wd.c +++ b/sys/dev/ata/wd.c @@ -316,6 +316,7 @@ wdattach(device_t parent, device_t self, void *aux) mutex_init(&wd->sc_lock, MUTEX_DEFAULT, IPL_BIO); #ifdef WD_SOFTBADSECT SLIST_INIT(&wd->sc_bslist); + cv_init(&wd->sc_bslist_cv, "wdbadsect"); #endif wd->atabus = adev->adev_bustype; wd->inflight = 0; @@ -587,6 +588,11 @@ wddetach(device_t self, int flags) wd_sysctl_detach(wd); +#ifdef WD_SOFTBADSECT + KASSERT(SLIST_EMPTY(&wd->sc_bslist)); + cv_destroy(&wd->sc_bslist_cv); +#endif + mutex_destroy(&wd->sc_lock); wd->drvp->drive_type = ATA_DRIVET_NONE; /* no drive any more here */ @@ -1262,6 +1268,7 @@ wdioctl(dev_t dev, u_long cmd, void *addr, int flag, struct lwp *l) struct wd_softc *wd = device_lookup_private(&wd_cd, WDUNIT(dev)); struct dk_softc *dksc = &wd->sc_dksc; + int error; ATADEBUG_PRINT(("wdioctl\n"), DEBUG_FUNCS); @@ -1279,11 +1286,10 @@ wdioctl(dev_t dev, u_long cmd, void *addr, int flag, struct lwp *l) return 0; #endif #ifdef WD_SOFTBADSECT - case DIOCBSLIST : - { + case DIOCBSLIST: { uint32_t count, missing, skip; struct disk_badsecinfo dbsi; - struct disk_badsectors *dbs; + struct disk_badsectors *dbs, dbsbuf; size_t available; uint8_t *laddr; @@ -1303,7 +1309,9 @@ wdioctl(dev_t dev, u_long cmd, void *addr, int flag, struct lwp *l) * back to user space whilst the summary is returned via * the struct passed in via the ioctl. */ + error = 0; mutex_enter(&wd->sc_lock); + wd->sc_bslist_inuse++; SLIST_FOREACH(dbs, &wd->sc_bslist, dbs_next) { if (skip > 0) { missing--; @@ -1313,26 +1321,50 @@ wdioctl(dev_t dev, u_long cmd, void *addr, int flag, struct lwp *l) if (available < sizeof(*dbs)) break; available -= sizeof(*dbs); - copyout(dbs, laddr, sizeof(*dbs)); + memset(&dbsbuf, 0, sizeof(dbsbuf)); + dbsbuf.dbs_min = dbs->dbs_min; + dbsbuf.dbs_max = dbs->dbs_max; + dbsbuf.dbs_failedat = dbs->dbs_failedat; + mutex_exit(&wd->sc_lock); + error = copyout(&dbsbuf, laddr, sizeof(dbsbuf)); + mutex_enter(&wd->sc_lock); + if (error) + break; laddr += sizeof(*dbs); missing--; count++; } + if (--wd->sc_bslist_inuse == 0) + cv_broadcast(&wd->sc_bslist_cv); mutex_exit(&wd->sc_lock); dbsi.dbsi_left = missing; dbsi.dbsi_copied = count; *(struct disk_badsecinfo *)addr = dbsi; - return 0; + + /* + * If we copied anything out, ignore error and return + * success -- can't back it out. + */ + return count ? 0 : error; } - case DIOCBSFLUSH : + case DIOCBSFLUSH: /* Clean out the bad sector list */ mutex_enter(&wd->sc_lock); + while (wd->sc_bslist_inuse) { + error = cv_wait_sig(&wd->sc_bslist_cv, &wd->sc_lock); + if (error) { + mutex_exit(&wd->sc_lock); + return error; + } + } while (!SLIST_EMPTY(&wd->sc_bslist)) { struct disk_badsectors *dbs = SLIST_FIRST(&wd->sc_bslist); SLIST_REMOVE_HEAD(&wd->sc_bslist, dbs_next); + mutex_exit(&wd->sc_lock); kmem_free(dbs, sizeof(*dbs)); + mutex_enter(&wd->sc_lock); } mutex_exit(&wd->sc_lock); wd->sc_bscount = 0; diff --git a/sys/dev/ata/wdvar.h b/sys/dev/ata/wdvar.h index 07152ac80d5f..bfbfdbbb4d94 100644 --- a/sys/dev/ata/wdvar.h +++ b/sys/dev/ata/wdvar.h @@ -31,8 +31,20 @@ #include "opt_wd.h" #endif -#include +#include + +#include +#include +#include +#include #include +#include + +#include +#include +#include + +struct sysctllog; struct wd_softc { /* General disk infos */ @@ -64,6 +76,8 @@ struct wd_softc { #ifdef WD_SOFTBADSECT SLIST_HEAD(, disk_badsectors) sc_bslist; u_int sc_bscount; + kcondvar_t sc_bslist_cv; + u_int sc_bslist_inuse; #endif /* Retry/requeue failed transfers */ From cf3b8c81ab8314500f3136da5775e895b2eb9d22 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Tue, 10 Aug 2021 13:38:27 +0000 Subject: [PATCH 6/7] sys/dev: Memset zero before copyout. Just in case of uninitialized padding which would lead to kernel stack disclosure. If the compiler can prove the memset redundant then it can optimize it away; otherwise better safe than sorry. I think the iwi(4), mcd(4), and ses(4) changes actually plug leaks; the raidframe(4) change probably doesn't (but doesn't hurt). --- sys/dev/isa/mcd.c | 1 + sys/dev/pci/if_iwi.c | 3 ++- sys/dev/raidframe/rf_netbsdkintf.c | 6 ++++++ sys/dev/scsipi/ses.c | 1 + 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/sys/dev/isa/mcd.c b/sys/dev/isa/mcd.c index f609d86e617d..6b3e3920569d 100644 --- a/sys/dev/isa/mcd.c +++ b/sys/dev/isa/mcd.c @@ -1601,6 +1601,7 @@ mcd_read_subchannel(struct mcd_softc *sc, struct ioc_read_subchannel *ch, if ((error = mcd_getqchan(sc, &q, ch->data_format)) != 0) return error; + memset(info, 0, sizeof(*info)); info->header.audio_status = sc->audio_status; info->what.media_catalog.data_format = ch->data_format; diff --git a/sys/dev/pci/if_iwi.c b/sys/dev/pci/if_iwi.c index b8281f851e88..6fb5c7624428 100644 --- a/sys/dev/pci/if_iwi.c +++ b/sys/dev/pci/if_iwi.c @@ -1870,8 +1870,9 @@ iwi_get_table0(struct iwi_softc *sc, uint32_t *tbl) { uint32_t size, buf[128]; + memset(buf, 0, sizeof buf); + if (!(sc->flags & IWI_FLAG_FW_INITED)) { - memset(buf, 0, sizeof buf); return copyout(buf, tbl, sizeof buf); } diff --git a/sys/dev/raidframe/rf_netbsdkintf.c b/sys/dev/raidframe/rf_netbsdkintf.c index 9ecbdfbf28a6..1edf37c02073 100644 --- a/sys/dev/raidframe/rf_netbsdkintf.c +++ b/sys/dev/raidframe/rf_netbsdkintf.c @@ -3847,6 +3847,8 @@ void rf_check_recon_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info) { + memset(info, 0, sizeof(*info)); + if (raidPtr->status != rf_rs_reconstructing) { info->total = 100; info->completed = 100; @@ -3862,6 +3864,8 @@ void rf_check_parityrewrite_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info) { + memset(info, 0, sizeof(*info)); + if (raidPtr->parity_rewrite_in_progress == 1) { info->total = raidPtr->Layout.numStripe; info->completed = raidPtr->parity_rewrite_stripes_done; @@ -3877,6 +3881,8 @@ void rf_check_copyback_status_ext(RF_Raid_t *raidPtr, RF_ProgressInfo_t *info) { + memset(info, 0, sizeof(*info)); + if (raidPtr->copyback_in_progress == 1) { info->total = raidPtr->Layout.numStripe; info->completed = raidPtr->copyback_stripes_done; diff --git a/sys/dev/scsipi/ses.c b/sys/dev/scsipi/ses.c index be5ad03417f4..594b9d7af239 100644 --- a/sys/dev/scsipi/ses.c +++ b/sys/dev/scsipi/ses.c @@ -415,6 +415,7 @@ sesioctl(dev_t dev, u_long cmd, void *arg_addr, int flag, struct lwp *l) case SESIOC_GETOBJMAP: if (addr == NULL) return EINVAL; + memset(&obj, 0, sizeof(obj)); for (uobj = addr, i = 0; i != ssc->ses_nobjects; i++, uobj++) { obj.obj_id = i; obj.subencid = ssc->ses_objmap[i].subenclosure; From 5377c9a0dbda33ab5eed8fe1be0a6f960f037503 Mon Sep 17 00:00:00 2001 From: Taylor R Campbell Date: Fri, 13 Aug 2021 09:34:56 +0000 Subject: [PATCH 7/7] fixup! sys/compat: Memset zero before copyout. --- sys/compat/linux/arch/powerpc/linux_ptrace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/compat/linux/arch/powerpc/linux_ptrace.c b/sys/compat/linux/arch/powerpc/linux_ptrace.c index 9ff2d3c00edc..3dd66578abc7 100644 --- a/sys/compat/linux/arch/powerpc/linux_ptrace.c +++ b/sys/compat/linux/arch/powerpc/linux_ptrace.c @@ -200,7 +200,7 @@ linux_sys_ptrace_arch(struct lwp *l, const struct linux_sys_ptrace_args *uap, if (error) { break; } - memset(&linux_regs, 0, sizeof(linux_regs)); + memset(linux_regs, 0, sizeof(*linux_regs)); for (i = 0; i <= 31; i++) { linux_regs->lgpr[i] = regs->fixreg[i]; }