OPENAFS-SA-2016-002 AFSStoreVolumeStatus information leak

The AFSStoreVolumeStatus structure is used as an input to the
RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls
which of the other fields will actually be read by the server
during the RPC processing.  Unfortunately, the client only
wrote to the fields indicated by the mask, leaving the other
fields uninitialized for transmission on the wire, leaking
some contents of kernel memory.

Plug the information leak by zeroing the entire structure before use.

FIXES 132847

Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e

diff --git a/src/WINNT/afsd/cm_ioctl.c b/src/WINNT/afsd/cm_ioctl.c
index db32eecad1d19a7a4069f6b432bbade4363ffaae..172cbc082e081a08c41e6764f31ae1829464cca9 100644 (file)
--- a/src/WINNT/afsd/cm_ioctl.c
+++ b/src/WINNT/afsd/cm_ioctl.c
@@ -632,6 +632,7 @@ cm_IoctlSetVolumeStatus(struct cm_ioctl *ioctlp, struct cm_user *userp, cm_scach
     clientchar_t *strp;
     struct rx_connection * rxconnp;
 
+    memset(&storeStat, 0, sizeof(storeStat));
 #ifdef AFS_FREELANCE_CLIENT
     if ( scp->fid.cell == AFS_FAKE_ROOT_CELL_ID && scp->fid.volume == AFS_FAKE_ROOT_VOL_ID ) {
        code = CM_ERROR_NOACCESS;

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 0c96172be606d8c8753360ded8b8d8fd19478180..19a48650e01748043b5db0e4f3507c5102b055a5 100644 (file)
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -2051,6 +2051,7 @@ DECL_PIOCTL(PSetVolumeStatus)
     AFS_STATCNT(PSetVolumeStatus);
     if (!avc)
        return EINVAL;
+    memset(&storeStat, 0, sizeof(storeStat));
 
     tvp = afs_GetVolume(&avc->f.fid, areq, READ_LOCK);
     if (tvp) {