8 files changed, 14 insertions, 1 deletions

diff --git a/UPDATING b/UPDATING
index bb2a9a9ddf91..d3930a33ef32 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,9 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.  Important recent entries: 20040724 (default X changes).
 
+20050506:	p13	FreeBSD-SA-05:08.kmem
+	Correct several local kernel memory disclosure bugs.
+
 20050506:	p12	FreeBSD-SA-05:07.ldt
 	Correctly validate inputs to the i386_get_ldt syscall.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index c5712880d515..48594499e25c 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="5.3"
-BRANCH="RELEASE-p12"
+BRANCH="RELEASE-p13"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 
diff --git a/sys/kern/subr_bus.c b/sys/kern/subr_bus.c
index 37a66480b92c..3710ede5e090 100644
--- a/sys/kern/subr_bus.c
+++ b/sys/kern/subr_bus.c
@@ -3719,6 +3719,7 @@ sysctl_devices(SYSCTL_HANDLER_ARGS)
 	/*
 	 * Populate the return array.
 	 */
+	bzero(&udev, sizeof(udev));
 	udev.dv_handle = (uintptr_t)dev;
 	udev.dv_parent = (uintptr_t)dev->parent;
 	if (dev->nameunit == NULL)
@@ -3790,6 +3791,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS)
 	 * resource manager.
 	 */
 	if (res_idx == -1) {
+		bzero(&urm, sizeof(urm));
 		urm.rm_handle = (uintptr_t)rm;
 		strlcpy(urm.rm_descr, rm->rm_descr, RM_TEXTLEN);
 		urm.rm_start = rm->rm_start;
@@ -3805,6 +3807,7 @@ sysctl_rman(SYSCTL_HANDLER_ARGS)
 	 */
 	TAILQ_FOREACH(res, &rm->rm_list, r_link) {
 		if (res_idx-- == 0) {
+			bzero(&ures, sizeof(ures));
 			ures.r_handle = (uintptr_t)res;
 			ures.r_parent = (uintptr_t)res->r_rm;
 			ures.r_device = (uintptr_t)res->r_dev;
diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c
index ad6d7490caa5..8f5c4c9afb42 100644
--- a/sys/kern/vfs_subr.c
+++ b/sys/kern/vfs_subr.c
@@ -2899,6 +2899,7 @@ sysctl_vfs_conflist(SYSCTL_HANDLER_ARGS)
 
 	error = 0;
 	TAILQ_FOREACH(vfsp, &vfsconf, vfc_list) {
+		bzero(&xvfsp, sizeof(xvfsp));
 		vfsconf2x(vfsp, &xvfsp);
 		error = SYSCTL_OUT(req, &xvfsp, sizeof xvfsp);
 		if (error)
@@ -2943,6 +2944,7 @@ vfs_sysctl(SYSCTL_HANDLER_ARGS)
 				break;
 		if (vfsp == NULL)
 			return (EOPNOTSUPP);
+		bzero(&xvfsp, sizeof(xvfsp));
 		vfsconf2x(vfsp, &xvfsp);
 		return (SYSCTL_OUT(req, &xvfsp, sizeof(xvfsp)));
 	}
@@ -2962,6 +2964,7 @@ sysctl_ovfs_conf(SYSCTL_HANDLER_ARGS)
 	struct ovfsconf ovfs;
 
 	TAILQ_FOREACH(vfsp, &vfsconf, vfc_list) {
+		bzero(&ovfs, sizeof(ovfs));
 		ovfs.vfc_vfsops = vfsp->vfc_vfsops;	/* XXX used as flag */
 		strcpy(ovfs.vfc_name, vfsp->vfc_name);
 		ovfs.vfc_index = vfsp->vfc_typenum;
diff --git a/sys/net/if_mib.c b/sys/net/if_mib.c
index f104b77bfd2b..de6698eaaf09 100644
--- a/sys/net/if_mib.c
+++ b/sys/net/if_mib.c
@@ -90,6 +90,7 @@ sysctl_ifdata(SYSCTL_HANDLER_ARGS) /* XXX bad syntax! */
 		return ENOENT;
 
 	case IFDATA_GENERAL:
+		bzero(&ifmd, sizeof(ifmd));
 		strlcpy(ifmd.ifmd_name, ifp->if_xname, sizeof(ifmd.ifmd_name));
 
 #define COPY(fld) ifmd.ifmd_##fld = ifp->if_##fld
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index 106aa56ed8a1..c15121354af6 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -598,6 +598,7 @@ div_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 49e5904209b5..3b32d3ec9911 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -846,6 +846,7 @@ rip_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index c3fd5166e620..4319c627ea91 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -642,6 +642,7 @@ udp_pcblist(SYSCTL_HANDLER_ARGS)
 		inp = inp_list[i];
 		if (inp->inp_gencnt <= gencnt) {
 			struct xinpcb xi;
+			bzero(&xi, sizeof(xi));
 			xi.xi_len = sizeof xi;
 			/* XXX should avoid extra copy */
 			bcopy(inp, &xi.xi_inp, sizeof *inp);