doc/share/security/patches/EN-18:05/mem.10.4.patch

--- sys/compat/linux/linux_ioctl.c.orig
+++ sys/compat/linux/linux_ioctl.c
@@ -246,6 +246,7 @@
 		} else if ((args->cmd & 0xffff) == LINUX_HDIO_GET_GEO_BIG) {
 			struct linux_hd_big_geometry hdbg;
 
+			memset(&hdbg, 0, sizeof(hdbg));
 			hdbg.cylinders = fwcylinders;
 			hdbg.heads = fwheads;
 			hdbg.sectors = fwsectors;
@@ -2426,6 +2427,7 @@
 		printf("%s(): ioctl %d on %.*s\n", __func__,
 		    args->cmd & 0xffff, LINUX_IFNAMSIZ, lifname);
 #endif
+		memset(ifname, 0, sizeof(ifname));
 		ifp = ifname_linux_to_bsd(td, lifname, ifname);
 		if (ifp == NULL)
 			return (EINVAL);
--- sys/compat/linux/linux_ipc.c.orig
+++ sys/compat/linux/linux_ipc.c
@@ -516,6 +516,9 @@
 	register_t rval;
 	int cmd, error;
 
+	memset(&linux_seminfo, 0, sizeof(linux_seminfo));
+	memset(&linux_semid, 0, sizeof(linux_semid));
+
 	switch (args->cmd & ~LINUX_IPC_64) {
 	case LINUX_IPC_RMID:
 		cmd = IPC_RMID;
@@ -661,6 +664,8 @@
 	struct l_msqid_ds linux_msqid;
 	struct msqid_ds bsd_msqid;
 
+	memset(&linux_msqid, 0, sizeof(linux_msqid));
+
 	bsd_cmd = args->cmd & ~LINUX_IPC_64;
 	switch (bsd_cmd) {
 	case LINUX_IPC_INFO:
@@ -667,6 +672,7 @@
 	case LINUX_MSG_INFO: {
 		struct l_msginfo linux_msginfo;
 
+		memset(&linux_msginfo, 0, sizeof(linux_msginfo));
 		/*
 		 * XXX MSG_INFO uses the same data structure but returns different
 		 * dynamic counters in msgpool, msgmap, and msgtql fields.
@@ -789,6 +795,10 @@
 	struct shmid_ds bsd_shmid;
 	int error;
 
+	memset(&linux_shm_info, 0, sizeof(linux_shm_info));
+	memset(&linux_shmid, 0, sizeof(linux_shmid));
+	memset(&linux_shminfo, 0, sizeof(linux_shminfo));
+
 	switch (args->cmd & ~LINUX_IPC_64) {
 
 	case LINUX_IPC_INFO: {
--- sys/dev/ath/if_ath_btcoex.c.orig
+++ sys/dev/ath/if_ath_btcoex.c
@@ -321,7 +321,7 @@
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -330,6 +330,7 @@
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;
--- sys/dev/ath/if_ath_lna_div.c.orig
+++ sys/dev/ath/if_ath_lna_div.c
@@ -185,7 +185,7 @@
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -194,6 +194,7 @@
 	switch (id) {
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;
--- sys/dev/ath/if_ath_spectral.c.orig
+++ sys/dev/ath/if_ath_spectral.c
@@ -210,7 +210,7 @@
 		 * pointer for us to use below in reclaiming the buffer;
 		 * may want to be more defensive.
 		 */
-		outdata = malloc(outsize, M_TEMP, M_NOWAIT);
+		outdata = malloc(outsize, M_TEMP, M_NOWAIT | M_ZERO);
 		if (outdata == NULL) {
 			error = ENOMEM;
 			goto bad;
@@ -273,6 +273,7 @@
 		break;
 		default:
 			error = EINVAL;
+			goto bad;
 	}
 	if (outsize < ad->ad_out_size)
 		ad->ad_out_size = outsize;