OPENAFS-SA-2016-002 AFSStoreStatus information leak

Marc Dionne reported that portions of the AFSStoreStatus structure
were not written to before being sent over the network for
operations such as create, symlink, etc., leaking the contents
of the kernel stack to observers.  Which fields in the request
are used are controlled by a flags field, and so if a field was
not going to be used by the server, it was sometimes left
uninitialized.

Fix the information leak by zeroing out the structure before use.

FIXES 132847

Change-Id: I84a5a10442732ebbcb5d5067ca22030fb795168b

diff --git a/src/WINNT/afsd/cm_dcache.c b/src/WINNT/afsd/cm_dcache.c
index 6da6153ba18591329f0cc1f87f4c7585e9e4df6b..cd7315886461e957384a5e27663df30cc0c53a00 100644 (file)
--- a/src/WINNT/afsd/cm_dcache.c
+++ b/src/WINNT/afsd/cm_dcache.c
@@ -460,6 +460,7 @@ long cm_StoreMini(cm_scache_t *scp, cm_user_t *userp, cm_req_t *reqp)
     int call_was_64bit = 0;
 
     memset(&volSync, 0, sizeof(volSync));
+    memset(&inStatus, 0, sizeof(inStatus);
 
     osi_Log2(afsd_logp, "cm_StoreMini scp 0x%p userp 0x%p", scp, userp);
 

diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
index cc1fd32193e8a67037562a8a2f9f7dbf0d9c38f8..3b065fd35241059819c07968fff225d530bcaac0 100644 (file)
--- a/src/afs/VNOPS/afs_vnop_attrs.c
+++ b/src/afs/VNOPS/afs_vnop_attrs.c
@@ -358,6 +358,7 @@ afs_VAttrToAS(struct vcache *avc, struct vattr *av,
 {
     int mask;
     mask = 0;
+
     AFS_STATCNT(afs_VAttrToAS);
 #if     defined(AFS_DARWIN80_ENV)
     if (VATTR_IS_ACTIVE(av, va_mode)) {
@@ -483,6 +484,8 @@ afs_setattr(OSI_VC_DECL(avc), struct vattr *attrs,
     if ((code = afs_CreateReq(&treq, acred)))
        return code;
 
+    memset(&astat, 0, sizeof(astat));
+
     AFS_DISCON_LOCK();
 
     afs_InitFakeStat(&fakestate);

diff --git a/src/afs/VNOPS/afs_vnop_create.c b/src/afs/VNOPS/afs_vnop_create.c
index 5f8819f55fa6c21b5aaf7ba6eab305b27a91dc63..a2d600d68f64055b0fd9039478d1b049b3a4af9a 100644 (file)
--- a/src/afs/VNOPS/afs_vnop_create.c
+++ b/src/afs/VNOPS/afs_vnop_create.c
@@ -64,6 +64,7 @@ afs_create(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
        goto done2;

diff --git a/src/afs/VNOPS/afs_vnop_dirops.c b/src/afs/VNOPS/afs_vnop_dirops.c
index 9365563b0cfafe79487cb3653c5cb669e60c454d..d1d2ab2ef04d7fb944ea86611750f45654d5a3f8 100644 (file)
--- a/src/afs/VNOPS/afs_vnop_dirops.c
+++ b/src/afs/VNOPS/afs_vnop_dirops.c
@@ -61,6 +61,7 @@ afs_mkdir(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
        goto done2;

diff --git a/src/afs/VNOPS/afs_vnop_symlink.c b/src/afs/VNOPS/afs_vnop_symlink.c
index 14026efbb3647a6b43f5757f9e745c473b03e5d6..f608b2be70eab5934422ae2ba423f7ea072f1ee1 100644 (file)
--- a/src/afs/VNOPS/afs_vnop_symlink.c
+++ b/src/afs/VNOPS/afs_vnop_symlink.c
@@ -94,6 +94,7 @@ afs_symlink(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
        goto done2;

diff --git a/src/afs/afs_disconnected.c b/src/afs/afs_disconnected.c
index 62712b9536fab569d025526ad32ca8188a27299c..a83d076de147eede3b5b7904786716a479943a2e 100644 (file)
--- a/src/afs/afs_disconnected.c
+++ b/src/afs/afs_disconnected.c
@@ -671,6 +671,7 @@ afs_ProcessOpCreate(struct vcache *avc, struct vrequest *areq,
     tname = afs_osi_Alloc(AFSNAMEMAX);
     if (!tname)
        return ENOMEM;
+    memset(&InStatus, 0, sizeof(InStatus));
 
     code = afs_GetParentVCache(avc, 0, &pdir_fid, tname, &tdp);
     if (code)

diff --git a/src/afs/afs_segments.c b/src/afs/afs_segments.c
index c921746211a470b5d5dbce55ea41d6bb2e8974d3..69f7445f9edcf76e16412792c3ddf02cb15e8bc1 100644 (file)
--- a/src/afs/afs_segments.c
+++ b/src/afs/afs_segments.c
@@ -55,6 +55,7 @@ afs_StoreMini(struct vcache *avc, struct vrequest *areq)
        tlen = avc->f.truncPos;
     avc->f.truncPos = AFS_NOTRUNC;
     avc->f.states &= ~CExtendedFile;
+    memset(&InStatus, 0, sizeof(InStatus));
 
     do {
        tc = afs_Conn(&avc->f.fid, areq, SHARED_LOCK, &rxconn);

diff --git a/src/libafscp/afscp_file.c b/src/libafscp/afscp_file.c
index 8bc3ed45e1f892ac844a2cf19b73bf2dc901db64..767099ef25fb38e706ee9e51912968b1aedcbcaa 100644 (file)
--- a/src/libafscp/afscp_file.c
+++ b/src/libafscp/afscp_file.c
@@ -126,6 +126,7 @@ afscp_PWrite(const struct afscp_venusfid * fid, const void *buffer,
     off_t filesize;
     time_t now;
 
+    memset(&sst, 0, sizeof(sst));
     vol = afscp_VolumeById(fid->cell, fid->fid.Volume);
     if (vol == NULL) {
        afscp_errno = ENOENT;

diff --git a/src/venus/afsio.c b/src/venus/afsio.c
index 9e3b1e515d6a9e0f0f6d9469da16156e305e9e11..c9b04f2933040f45850ff351fbe1e8d8c0654e23 100644 (file)
--- a/src/venus/afsio.c
+++ b/src/venus/afsio.c
@@ -882,6 +882,7 @@ writeFile(struct cmd_syndesc *as, void *unused)
     /* stdin on Windows defaults to _O_TEXT mode */
     _setmode(0, _O_BINARY);
 #endif
+    memset(&InStatus, 0, sizeof(InStatus));
 
     CmdProlog(as, &cell, &realm, &fname, &sSynthLen);
     afscp_AnonymousAuth(1);