Previously it was not deemed worthy of a DSA on its own.
Change-Id: Idb19052cd8e354d9678c3ba8efd0e90b8d438645
openafs (1.6.9-2+deb8u6) UNRELEASED; urgency=high
* CVE-2017-17432: remote triggered Rx assertion failure
+ * CVE-2016-4536: information leakage from OpenAFS clients
-- Benjamin Kaduk <kaduk@mit.edu> Thu, 07 Dec 2017 19:04:52 -0600
--- /dev/null
+From: Benjamin Kaduk <kaduk@mit.edu>
+Date: Sun, 13 Mar 2016 12:56:24 -0500
+Subject: OPENAFS-SA-2016-002 AFSStoreStatus information leak
+
+Marc Dionne reported that portions of the AFSStoreStatus structure
+were not written to before being sent over the network for
+operations such as create, symlink, etc., leaking the contents
+of the kernel stack to observers. Which fields in the request
+are used are controlled by a flags field, and so if a field was
+not going to be used by the server, it was sometimes left
+uninitialized.
+
+Fix the information leak by zeroing out the structure before use.
+
+FIXES 132847
+
+Change-Id: Iebcac04d1ff70df06d054ddb3b886ab422fb2a14
+(cherry picked from commit 90cb77f975244c77ef929be723e5b871247cbe9d)
+---
+ src/afs/VNOPS/afs_vnop_attrs.c | 3 +++
+ src/afs/VNOPS/afs_vnop_create.c | 1 +
+ src/afs/VNOPS/afs_vnop_dirops.c | 2 ++
+ src/afs/VNOPS/afs_vnop_symlink.c | 2 ++
+ src/afs/afs_disconnected.c | 1 +
+ src/afs/afs_segments.c | 1 +
+ src/libafscp/afscp_file.c | 1 +
+ src/venus/afsio.c | 1 +
+ 8 files changed, 12 insertions(+)
+
+diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
+index d01aff2..d9f6406 100644
+--- a/src/afs/VNOPS/afs_vnop_attrs.c
++++ b/src/afs/VNOPS/afs_vnop_attrs.c
+@@ -349,6 +349,7 @@ afs_VAttrToAS(struct vcache *avc, struct vattr *av,
+ {
+ int mask;
+ mask = 0;
++
+ AFS_STATCNT(afs_VAttrToAS);
+ #if defined(AFS_DARWIN80_ENV)
+ if (VATTR_IS_ACTIVE(av, va_mode)) {
+@@ -474,6 +475,8 @@ afs_setattr(OSI_VC_DECL(avc), struct vattr *attrs,
+ if ((code = afs_InitReq(&treq, acred)))
+ return code;
+
++ memset(&astat, 0, sizeof(astat));
++
+ AFS_DISCON_LOCK();
+
+ afs_InitFakeStat(&fakestate);
+diff --git a/src/afs/VNOPS/afs_vnop_create.c b/src/afs/VNOPS/afs_vnop_create.c
+index b0a562c..c1c6720 100644
+--- a/src/afs/VNOPS/afs_vnop_create.c
++++ b/src/afs/VNOPS/afs_vnop_create.c
+@@ -60,6 +60,7 @@ afs_create(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
+ XSTATS_DECLS;
+ OSI_VC_CONVERT(adp);
+
++ memset(&InStatus, 0, sizeof(InStatus));
+
+ AFS_STATCNT(afs_create);
+ if ((code = afs_InitReq(&treq, acred)))
+diff --git a/src/afs/VNOPS/afs_vnop_dirops.c b/src/afs/VNOPS/afs_vnop_dirops.c
+index 6128d7d..9c7d3fb 100644
+--- a/src/afs/VNOPS/afs_vnop_dirops.c
++++ b/src/afs/VNOPS/afs_vnop_dirops.c
+@@ -59,6 +59,8 @@ afs_mkdir(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
+ afs_Trace2(afs_iclSetp, CM_TRACE_MKDIR, ICL_TYPE_POINTER, adp,
+ ICL_TYPE_STRING, aname);
+
++ memset(&InStatus, 0, sizeof(InStatus));
++
+ if ((code = afs_InitReq(&treq, acred)))
+ goto done2;
+ afs_InitFakeStat(&fakestate);
+diff --git a/src/afs/VNOPS/afs_vnop_symlink.c b/src/afs/VNOPS/afs_vnop_symlink.c
+index 95f6973..8bf340b 100644
+--- a/src/afs/VNOPS/afs_vnop_symlink.c
++++ b/src/afs/VNOPS/afs_vnop_symlink.c
+@@ -92,6 +92,8 @@ afs_symlink(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
+ afs_Trace2(afs_iclSetp, CM_TRACE_SYMLINK, ICL_TYPE_POINTER, adp,
+ ICL_TYPE_STRING, aname);
+
++ memset(&InStatus, 0, sizeof(InStatus));
++
+ if ((code = afs_InitReq(&treq, acred)))
+ goto done2;
+
+diff --git a/src/afs/afs_disconnected.c b/src/afs/afs_disconnected.c
+index 04107f0..cfd5d63 100644
+--- a/src/afs/afs_disconnected.c
++++ b/src/afs/afs_disconnected.c
+@@ -671,6 +671,7 @@ afs_ProcessOpCreate(struct vcache *avc, struct vrequest *areq,
+ tname = afs_osi_Alloc(AFSNAMEMAX);
+ if (!tname)
+ return ENOMEM;
++ memset(&InStatus, 0, sizeof(InStatus));
+
+ code = afs_GetParentVCache(avc, 0, &pdir_fid, tname, &tdp);
+ if (code)
+diff --git a/src/afs/afs_segments.c b/src/afs/afs_segments.c
+index 1ea3311..2dd89cf 100644
+--- a/src/afs/afs_segments.c
++++ b/src/afs/afs_segments.c
+@@ -55,6 +55,7 @@ afs_StoreMini(struct vcache *avc, struct vrequest *areq)
+ tlen = avc->f.truncPos;
+ avc->f.truncPos = AFS_NOTRUNC;
+ avc->f.states &= ~CExtendedFile;
++ memset(&InStatus, 0, sizeof(InStatus));
+
+ do {
+ tc = afs_Conn(&avc->f.fid, areq, SHARED_LOCK, &rxconn);
+diff --git a/src/libafscp/afscp_file.c b/src/libafscp/afscp_file.c
+index c71f601..a3985e3 100644
+--- a/src/libafscp/afscp_file.c
++++ b/src/libafscp/afscp_file.c
+@@ -124,6 +124,7 @@ afscp_PWrite(const struct afscp_venusfid * fid, const void *buffer,
+ off_t filesize;
+ time_t now;
+
++ memset(&sst, 0, sizeof(sst));
+ vol = afscp_VolumeById(fid->cell, fid->fid.Volume);
+ if (vol == NULL) {
+ afscp_errno = ENOENT;
+diff --git a/src/venus/afsio.c b/src/venus/afsio.c
+index de4f7f9..8959cd0 100644
+--- a/src/venus/afsio.c
++++ b/src/venus/afsio.c
+@@ -858,6 +858,7 @@ writeFile(struct cmd_syndesc *as, void *unused)
+ /* stdin on Windows defaults to _O_TEXT mode */
+ _setmode(0, _O_BINARY);
+ #endif
++ memset(&InStatus, 0, sizeof(InStatus));
+
+ CmdProlog(as, &cell, &realm, &fname, &sSynthLen);
+ afscp_AnonymousAuth(1);
--- /dev/null
+From: Benjamin Kaduk <kaduk@mit.edu>
+Date: Mon, 14 Mar 2016 23:15:20 -0500
+Subject: OPENAFS-SA-2016-002 AFSStoreVolumeStatus information leak
+
+The AFSStoreVolumeStatus structure is used as an input to the
+RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls
+which of the other fields will actually be read by the server
+during the RPC processing. Unfortunately, the client only
+wrote to the fields indicated by the mask, leaving the other
+fields uninitialized for transmission on the wire, leaking
+some contents of kernel memory.
+
+Plug the information leak by zeroing the entire structure before use.
+
+FIXES 132847
+
+Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e
+(cherry picked from commit 3ed975016290f916047fe2ac04303ee393e18a7a)
+---
+ src/afs/afs_pioctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c
+index d55a9d7..ed364a2 100644
+--- a/src/afs/afs_pioctl.c
++++ b/src/afs/afs_pioctl.c
+@@ -2044,6 +2044,7 @@ DECL_PIOCTL(PSetVolumeStatus)
+ AFS_STATCNT(PSetVolumeStatus);
+ if (!avc)
+ return EINVAL;
++ memset(&storeStat, 0, sizeof(storeStat));
+
+ tvp = afs_GetVolume(&avc->f.fid, areq, READ_LOCK);
+ if (tvp) {
--- /dev/null
+From: Benjamin Kaduk <kaduk@mit.edu>
+Date: Mon, 14 Mar 2016 23:15:20 -0500
+Subject: OPENAFS-SA-2016-002 VldbListByAttributes information leak
+
+The VldbListByAttributes structure is used as an input to several
+RPCs; it contains a Mask field that controls
+which of the other fields will actually be read by the server
+during the RPC processing. Unfortunately, the client only
+wrote to the fields indicated by the mask, leaving the other
+fields uninitialized for transmission on the wire, leaking
+some contents of client memory.
+
+Plug the information leak by zeroing the entire structure before use.
+
+FIXES 132847
+
+Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e
+(cherry picked from commit 5c4afd5558efcd54152d0be4d56c90e4c6860ef9)
+---
+ src/bucoord/commands.c | 1 +
+ src/libadmin/vos/vsprocs.c | 1 +
+ src/volser/vos.c | 4 ++--
+ src/volser/vsprocs.c | 1 +
+ 4 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/bucoord/commands.c b/src/bucoord/commands.c
+index a1c1385..531c3c5 100644
+--- a/src/bucoord/commands.c
++++ b/src/bucoord/commands.c
+@@ -219,6 +219,7 @@ EvalVolumeSet2(struct bc_config *aconfig,
+ *avols = (struct bc_volumeDump *)0;
+ bulkentries.nbulkentries_len = 0;
+ bulkentries.nbulkentries_val = 0;
++ memset(&attributes, 0, sizeof(attributes));
+
+ /* For each of the volume set entries - collect the volumes that match it */
+ for (tve = avs->ventries; tve; tve = tve->next) {
+diff --git a/src/libadmin/vos/vsprocs.c b/src/libadmin/vos/vsprocs.c
+index f314e01..be95938 100644
+--- a/src/libadmin/vos/vsprocs.c
++++ b/src/libadmin/vos/vsprocs.c
+@@ -3626,6 +3626,7 @@ UV_SyncServer(afs_cell_handle_p cellHandle, struct rx_connection *server,
+
+ noError = 1;
+ arrayEntries.nbulkentries_val = 0;
++ memset(&attributes, 0, sizeof(attributes));
+
+ /* Set up attributes to search VLDB */
+ attributes.server = ntohl(rx_HostOf(rx_PeerOf(server)));
+diff --git a/src/volser/vos.c b/src/volser/vos.c
+index 77007e9..4d8e8fd 100644
+--- a/src/volser/vos.c
++++ b/src/volser/vos.c
+@@ -4506,7 +4506,7 @@ ListVLDB(struct cmd_syndesc *as, void *arock)
+ aserver = 0;
+ apart = 0;
+
+- attributes.Mask = 0;
++ memset(&attributes, 0, sizeof(attributes));
+ lock = (as->parms[3].items ? 1 : 0); /* -lock flag */
+ quiet = (as->parms[4].items ? 1 : 0); /* -quit flag */
+ sort = (as->parms[5].items ? 0 : 1); /* -nosort flag */
+@@ -5009,7 +5009,7 @@ UnlockVLDB(struct cmd_syndesc *as, void *arock)
+
+ apart = -1;
+ totalE = 0;
+- attributes.Mask = 0;
++ memset(&attributes, 0, sizeof(attributes));
+
+ if (as->parms[0].items) { /* server specified */
+ aserver = GetServer(as->parms[0].items->data);
+diff --git a/src/volser/vsprocs.c b/src/volser/vsprocs.c
+index 3142119..4204c6f 100644
+--- a/src/volser/vsprocs.c
++++ b/src/volser/vsprocs.c
+@@ -6982,6 +6982,7 @@ UV_SyncServer(afs_uint32 aserver, afs_int32 apart, int flags, int force)
+ aconn = UV_Bind(aserver, AFSCONF_VOLUMEPORT);
+
+ /* Set up attributes to search VLDB */
++ memset(&attributes, 0, sizeof(attributes));
+ attributes.server = ntohl(aserver);
+ attributes.Mask = VLLIST_SERVER;
+ if ((flags & 1)) {
--- /dev/null
+From: Benjamin Kaduk <kaduk@mit.edu>
+Date: Mon, 14 Mar 2016 23:15:20 -0500
+Subject: OPENAFS-SA-2016-002 ListAddrByAttributes information leak
+
+The ListAddrByAttributes structure is used as an input to the GetAddrsU
+RPC; it contains a Mask field that controls which of the other fields
+will actually be read by the server during the RPC processing.
+Unfortunately, the client only wrote to the fields indicated by the
+mask, leaving the other fields uninitialized for transmission on the
+wire, leaking some contents of client memory.
+
+Plug the information leak by zeroing the entire structure before use.
+
+FIXES 132847
+
+Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e
+(cherry picked from commit becf282ecf9bec3f266d4f8403c1e93d22ab455a)
+---
+ src/libadmin/vos/afs_vosAdmin.c | 1 +
+ src/venus/cacheout.c | 1 +
+ src/vlserver/vlclient.c | 2 ++
+ 3 files changed, 4 insertions(+)
+
+diff --git a/src/libadmin/vos/afs_vosAdmin.c b/src/libadmin/vos/afs_vosAdmin.c
+index d24dca4..1f326a0 100644
+--- a/src/libadmin/vos/afs_vosAdmin.c
++++ b/src/libadmin/vos/afs_vosAdmin.c
+@@ -1200,6 +1200,7 @@ GetServerRPC(void *rpc_specific, int slot, int *last_item,
+ bulkaddrs addr_multi;
+ int i;
+
++ memset(&m_attrs, 0, sizeof(m_attrs));
+ /*
+ * Check to see if this is a multihomed address server
+ */
+diff --git a/src/venus/cacheout.c b/src/venus/cacheout.c
+index 2a390ad..3d44fd9 100644
+--- a/src/venus/cacheout.c
++++ b/src/venus/cacheout.c
+@@ -71,6 +71,7 @@ ListServers(void)
+ char hoststr[16];
+ ListAddrByAttributes m_attrs;
+
++ memset(&m_attrs, 0, sizeof(m_attrs));
+ memset(&addrs, 0, sizeof(addrs));
+ memset(&spare3, 0, sizeof(spare3));
+ code =
+diff --git a/src/vlserver/vlclient.c b/src/vlserver/vlclient.c
+index c7bfa7e..b29c5d8 100644
+--- a/src/vlserver/vlclient.c
++++ b/src/vlserver/vlclient.c
+@@ -824,6 +824,7 @@ handleit(struct cmd_syndesc *as, void *arock)
+
+ printf("[0x%x %u] (special multi-homed entry)\n",
+ *addrp, *addrp);
++ memset(&attrs, 0, sizeof(attrs));
+ attrs.Mask = VLADDR_INDEX;
+ mhaddrs.bulkaddrs_val = 0;
+ mhaddrs.bulkaddrs_len = 0;
+@@ -899,6 +900,7 @@ handleit(struct cmd_syndesc *as, void *arock)
+
+ addrs2.bulkaddrs_val = 0;
+ addrs2.bulkaddrs_len = 0;
++ memset(&attrs, 0, sizeof(attrs));
+ attrs.Mask = VLADDR_INDEX;
+ attrs.index = (base * VL_MHSRV_PERBLK) + index;
+ code =
0013-afs-pioctl-kernel-memory-overrun.patch
0014-OPENAFS-SA-2016-001-group-creation-by-foreign-users.patch
0015-OPENAFS-SA-2017-001-rx-Sanity-check-received-MTU-and.patch
+0016-OPENAFS-SA-2016-002-AFSStoreStatus-information-leak.patch
+0017-OPENAFS-SA-2016-002-AFSStoreVolumeStatus-information.patch
+0018-OPENAFS-SA-2016-002-VldbListByAttributes-information.patch
+0019-OPENAFS-SA-2016-002-ListAddrByAttributes-information.patch
projects / packages / o / openafs.git / commitdiff