OPENAFS-SA-2016-002 AFSStoreVolumeStatus information leak

The AFSStoreVolumeStatus structure is used as an input to the
RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls
which of the other fields will actually be read by the server
during the RPC processing.  Unfortunately, the client only
wrote to the fields indicated by the mask, leaving the other
fields uninitialized for transmission on the wire, leaking
some contents of kernel memory.

Plug the information leak by zeroing the entire structure before use.

FIXES 132847

Change-Id: Ib309e6b00b95bc4178740352899d7f940f2eb1ea

diff --git a/src/WINNT/afsd/cm_ioctl.c b/src/WINNT/afsd/cm_ioctl.c
index c6230a426cfabb57027712b488bf4a0b4fb24730..5322479d825367d54ff336cf278f163160aea68c 100644 (file)
--- a/src/WINNT/afsd/cm_ioctl.c
+++ b/src/WINNT/afsd/cm_ioctl.c
@@ -652,6 +652,7 @@ cm_IoctlSetVolumeStatus(struct cm_ioctl *ioctlp, struct cm_user *userp, cm_scach
     clientchar_t *strp;
     struct rx_connection * rxconnp;
 
+    memset(&storeStat, 0, sizeof(storeStat));
 #ifdef AFS_FREELANCE_CLIENT
     if ( scp->fid.cell == AFS_FAKE_ROOT_CELL_ID && scp->fid.volume == AFS_FAKE_ROOT_VOL_ID ) {
        code = CM_ERROR_NOACCESS;

diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
index 948809d7d240a8386f19f16974e8b0fdb6b08a93..5b9a8fd081b36cb962685a85bc7eb751a1c72d7e 100644 (file)
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@@ -2074,6 +2074,7 @@ DECL_PIOCTL(PSetVolumeStatus)
     AFS_STATCNT(PSetVolumeStatus);
     if (!avc)
        return EINVAL;
+    memset(&storeStat, 0, sizeof(storeStat));
 
     tvp = afs_GetVolume(&avc->f.fid, areq, READ_LOCK);
     if (tvp) {