From: Benjamin Kaduk Date: Sun, 13 Mar 2016 17:56:24 +0000 (-0500) Subject: OPENAFS-SA-2016-002 AFSStoreStatus information leak X-Git-Tag: upstream/1.8.0_pre1^2~153 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=b85c5f9339e20d3de9b1316217dadbea41ad537e;p=packages%2Fo%2Fopenafs.git OPENAFS-SA-2016-002 AFSStoreStatus information leak Marc Dionne reported that portions of the AFSStoreStatus structure were not written to before being sent over the network for operations such as create, symlink, etc., leaking the contents of the kernel stack to observers. Which fields in the request are used are controlled by a flags field, and so if a field was not going to be used by the server, it was sometimes left uninitialized. Fix the information leak by zeroing out the structure before use. FIXES 132847 Change-Id: I84a5a10442732ebbcb5d5067ca22030fb795168b --- diff --git a/src/WINNT/afsd/cm_dcache.c b/src/WINNT/afsd/cm_dcache.c index 6da6153ba..cd7315886 100644 --- a/src/WINNT/afsd/cm_dcache.c +++ b/src/WINNT/afsd/cm_dcache.c @@ -460,6 +460,7 @@ long cm_StoreMini(cm_scache_t *scp, cm_user_t *userp, cm_req_t *reqp) int call_was_64bit = 0; memset(&volSync, 0, sizeof(volSync)); + memset(&inStatus, 0, sizeof(inStatus); osi_Log2(afsd_logp, "cm_StoreMini scp 0x%p userp 0x%p", scp, userp); diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c index cc1fd3219..3b065fd35 100644 --- a/src/afs/VNOPS/afs_vnop_attrs.c +++ b/src/afs/VNOPS/afs_vnop_attrs.c @@ -358,6 +358,7 @@ afs_VAttrToAS(struct vcache *avc, struct vattr *av, { int mask; mask = 0; + AFS_STATCNT(afs_VAttrToAS); #if defined(AFS_DARWIN80_ENV) if (VATTR_IS_ACTIVE(av, va_mode)) { @@ -483,6 +484,8 @@ afs_setattr(OSI_VC_DECL(avc), struct vattr *attrs, if ((code = afs_CreateReq(&treq, acred))) return code; + memset(&astat, 0, sizeof(astat)); + AFS_DISCON_LOCK(); afs_InitFakeStat(&fakestate); diff --git a/src/afs/VNOPS/afs_vnop_create.c b/src/afs/VNOPS/afs_vnop_create.c index 5f8819f55..a2d600d68 100644 --- a/src/afs/VNOPS/afs_vnop_create.c +++ b/src/afs/VNOPS/afs_vnop_create.c @@ -64,6 +64,7 @@ afs_create(OSI_VC_DECL(adp), char *aname, struct vattr *attrs, OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus)); OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus)); + memset(&InStatus, 0, sizeof(InStatus)); if ((code = afs_CreateReq(&treq, acred))) goto done2; diff --git a/src/afs/VNOPS/afs_vnop_dirops.c b/src/afs/VNOPS/afs_vnop_dirops.c index 9365563b0..d1d2ab2ef 100644 --- a/src/afs/VNOPS/afs_vnop_dirops.c +++ b/src/afs/VNOPS/afs_vnop_dirops.c @@ -61,6 +61,7 @@ afs_mkdir(OSI_VC_DECL(adp), char *aname, struct vattr *attrs, OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus)); OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus)); + memset(&InStatus, 0, sizeof(InStatus)); if ((code = afs_CreateReq(&treq, acred))) goto done2; diff --git a/src/afs/VNOPS/afs_vnop_symlink.c b/src/afs/VNOPS/afs_vnop_symlink.c index 14026efbb..f608b2be7 100644 --- a/src/afs/VNOPS/afs_vnop_symlink.c +++ b/src/afs/VNOPS/afs_vnop_symlink.c @@ -94,6 +94,7 @@ afs_symlink(OSI_VC_DECL(adp), char *aname, struct vattr *attrs, OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus)); OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus)); + memset(&InStatus, 0, sizeof(InStatus)); if ((code = afs_CreateReq(&treq, acred))) goto done2; diff --git a/src/afs/afs_disconnected.c b/src/afs/afs_disconnected.c index 62712b953..a83d076de 100644 --- a/src/afs/afs_disconnected.c +++ b/src/afs/afs_disconnected.c @@ -671,6 +671,7 @@ afs_ProcessOpCreate(struct vcache *avc, struct vrequest *areq, tname = afs_osi_Alloc(AFSNAMEMAX); if (!tname) return ENOMEM; + memset(&InStatus, 0, sizeof(InStatus)); code = afs_GetParentVCache(avc, 0, &pdir_fid, tname, &tdp); if (code) diff --git a/src/afs/afs_segments.c b/src/afs/afs_segments.c index c92174621..69f7445f9 100644 --- a/src/afs/afs_segments.c +++ b/src/afs/afs_segments.c @@ -55,6 +55,7 @@ afs_StoreMini(struct vcache *avc, struct vrequest *areq) tlen = avc->f.truncPos; avc->f.truncPos = AFS_NOTRUNC; avc->f.states &= ~CExtendedFile; + memset(&InStatus, 0, sizeof(InStatus)); do { tc = afs_Conn(&avc->f.fid, areq, SHARED_LOCK, &rxconn); diff --git a/src/libafscp/afscp_file.c b/src/libafscp/afscp_file.c index 8bc3ed45e..767099ef2 100644 --- a/src/libafscp/afscp_file.c +++ b/src/libafscp/afscp_file.c @@ -126,6 +126,7 @@ afscp_PWrite(const struct afscp_venusfid * fid, const void *buffer, off_t filesize; time_t now; + memset(&sst, 0, sizeof(sst)); vol = afscp_VolumeById(fid->cell, fid->fid.Volume); if (vol == NULL) { afscp_errno = ENOENT; diff --git a/src/venus/afsio.c b/src/venus/afsio.c index 9e3b1e515..c9b04f293 100644 --- a/src/venus/afsio.c +++ b/src/venus/afsio.c @@ -882,6 +882,7 @@ writeFile(struct cmd_syndesc *as, void *unused) /* stdin on Windows defaults to _O_TEXT mode */ _setmode(0, _O_BINARY); #endif + memset(&InStatus, 0, sizeof(InStatus)); CmdProlog(as, &cell, &realm, &fname, &sSynthLen); afscp_AnonymousAuth(1);