From 67646c7c901a1f346d78666f432b673c5b341380 Mon Sep 17 00:00:00 2001 From: Benjamin Kaduk Date: Mon, 14 Mar 2016 23:15:20 -0500 Subject: [PATCH] OPENAFS-SA-2016-002 AFSStoreVolumeStatus information leak The AFSStoreVolumeStatus structure is used as an input to the RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls which of the other fields will actually be read by the server during the RPC processing. Unfortunately, the client only wrote to the fields indicated by the mask, leaving the other fields uninitialized for transmission on the wire, leaking some contents of kernel memory. Plug the information leak by zeroing the entire structure before use. FIXES 132847 Change-Id: Ib309e6b00b95bc4178740352899d7f940f2eb1ea --- src/WINNT/afsd/cm_ioctl.c | 1 + src/afs/afs_pioctl.c | 1 + 2 files changed, 2 insertions(+) diff --git a/src/WINNT/afsd/cm_ioctl.c b/src/WINNT/afsd/cm_ioctl.c index c6230a4..5322479 100644 --- a/src/WINNT/afsd/cm_ioctl.c +++ b/src/WINNT/afsd/cm_ioctl.c @@ -652,6 +652,7 @@ cm_IoctlSetVolumeStatus(struct cm_ioctl *ioctlp, struct cm_user *userp, cm_scach clientchar_t *strp; struct rx_connection * rxconnp; + memset(&storeStat, 0, sizeof(storeStat)); #ifdef AFS_FREELANCE_CLIENT if ( scp->fid.cell == AFS_FAKE_ROOT_CELL_ID && scp->fid.volume == AFS_FAKE_ROOT_VOL_ID ) { code = CM_ERROR_NOACCESS; diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c index 948809d..5b9a8fd 100644 --- a/src/afs/afs_pioctl.c +++ b/src/afs/afs_pioctl.c @@ -2074,6 +2074,7 @@ DECL_PIOCTL(PSetVolumeStatus) AFS_STATCNT(PSetVolumeStatus); if (!avc) return EINVAL; + memset(&storeStat, 0, sizeof(storeStat)); tvp = afs_GetVolume(&avc->f.fid, areq, READ_LOCK); if (tvp) { -- 1.9.4