From: Benjamin Kaduk Date: Sat, 9 Dec 2017 02:48:19 +0000 (-0600) Subject: Import upstream patches for CVE-2016-4536/OPENAFS-SA-2016-002 X-Git-Tag: debian/1.6.9-2+deb8u6~2 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=f973141494e1defc896417b1dd24b1047c3e1938;p=packages%2Fo%2Fopenafs.git Import upstream patches for CVE-2016-4536/OPENAFS-SA-2016-002 Previously it was not deemed worthy of a DSA on its own. Change-Id: Idb19052cd8e354d9678c3ba8efd0e90b8d438645 --- diff --git a/debian/changelog b/debian/changelog index dd639b07d..12da3aa62 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ openafs (1.6.9-2+deb8u6) UNRELEASED; urgency=high * CVE-2017-17432: remote triggered Rx assertion failure + * CVE-2016-4536: information leakage from OpenAFS clients -- Benjamin Kaduk Thu, 07 Dec 2017 19:04:52 -0600 diff --git a/debian/patches/0016-OPENAFS-SA-2016-002-AFSStoreStatus-information-leak.patch b/debian/patches/0016-OPENAFS-SA-2016-002-AFSStoreStatus-information-leak.patch new file mode 100644 index 000000000..a7139a2b3 --- /dev/null +++ b/debian/patches/0016-OPENAFS-SA-2016-002-AFSStoreStatus-information-leak.patch @@ -0,0 +1,136 @@ +From: Benjamin Kaduk +Date: Sun, 13 Mar 2016 12:56:24 -0500 +Subject: OPENAFS-SA-2016-002 AFSStoreStatus information leak + +Marc Dionne reported that portions of the AFSStoreStatus structure +were not written to before being sent over the network for +operations such as create, symlink, etc., leaking the contents +of the kernel stack to observers. Which fields in the request +are used are controlled by a flags field, and so if a field was +not going to be used by the server, it was sometimes left +uninitialized. + +Fix the information leak by zeroing out the structure before use. + +FIXES 132847 + +Change-Id: Iebcac04d1ff70df06d054ddb3b886ab422fb2a14 +(cherry picked from commit 90cb77f975244c77ef929be723e5b871247cbe9d) +--- + src/afs/VNOPS/afs_vnop_attrs.c | 3 +++ + src/afs/VNOPS/afs_vnop_create.c | 1 + + src/afs/VNOPS/afs_vnop_dirops.c | 2 ++ + src/afs/VNOPS/afs_vnop_symlink.c | 2 ++ + src/afs/afs_disconnected.c | 1 + + src/afs/afs_segments.c | 1 + + src/libafscp/afscp_file.c | 1 + + src/venus/afsio.c | 1 + + 8 files changed, 12 insertions(+) + +diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c +index d01aff2..d9f6406 100644 +--- a/src/afs/VNOPS/afs_vnop_attrs.c ++++ b/src/afs/VNOPS/afs_vnop_attrs.c +@@ -349,6 +349,7 @@ afs_VAttrToAS(struct vcache *avc, struct vattr *av, + { + int mask; + mask = 0; ++ + AFS_STATCNT(afs_VAttrToAS); + #if defined(AFS_DARWIN80_ENV) + if (VATTR_IS_ACTIVE(av, va_mode)) { +@@ -474,6 +475,8 @@ afs_setattr(OSI_VC_DECL(avc), struct vattr *attrs, + if ((code = afs_InitReq(&treq, acred))) + return code; + ++ memset(&astat, 0, sizeof(astat)); ++ + AFS_DISCON_LOCK(); + + afs_InitFakeStat(&fakestate); +diff --git a/src/afs/VNOPS/afs_vnop_create.c b/src/afs/VNOPS/afs_vnop_create.c +index b0a562c..c1c6720 100644 +--- a/src/afs/VNOPS/afs_vnop_create.c ++++ b/src/afs/VNOPS/afs_vnop_create.c +@@ -60,6 +60,7 @@ afs_create(OSI_VC_DECL(adp), char *aname, struct vattr *attrs, + XSTATS_DECLS; + OSI_VC_CONVERT(adp); + ++ memset(&InStatus, 0, sizeof(InStatus)); + + AFS_STATCNT(afs_create); + if ((code = afs_InitReq(&treq, acred))) +diff --git a/src/afs/VNOPS/afs_vnop_dirops.c b/src/afs/VNOPS/afs_vnop_dirops.c +index 6128d7d..9c7d3fb 100644 +--- a/src/afs/VNOPS/afs_vnop_dirops.c ++++ b/src/afs/VNOPS/afs_vnop_dirops.c +@@ -59,6 +59,8 @@ afs_mkdir(OSI_VC_DECL(adp), char *aname, struct vattr *attrs, + afs_Trace2(afs_iclSetp, CM_TRACE_MKDIR, ICL_TYPE_POINTER, adp, + ICL_TYPE_STRING, aname); + ++ memset(&InStatus, 0, sizeof(InStatus)); ++ + if ((code = afs_InitReq(&treq, acred))) + goto done2; + afs_InitFakeStat(&fakestate); +diff --git a/src/afs/VNOPS/afs_vnop_symlink.c b/src/afs/VNOPS/afs_vnop_symlink.c +index 95f6973..8bf340b 100644 +--- a/src/afs/VNOPS/afs_vnop_symlink.c ++++ b/src/afs/VNOPS/afs_vnop_symlink.c +@@ -92,6 +92,8 @@ afs_symlink(OSI_VC_DECL(adp), char *aname, struct vattr *attrs, + afs_Trace2(afs_iclSetp, CM_TRACE_SYMLINK, ICL_TYPE_POINTER, adp, + ICL_TYPE_STRING, aname); + ++ memset(&InStatus, 0, sizeof(InStatus)); ++ + if ((code = afs_InitReq(&treq, acred))) + goto done2; + +diff --git a/src/afs/afs_disconnected.c b/src/afs/afs_disconnected.c +index 04107f0..cfd5d63 100644 +--- a/src/afs/afs_disconnected.c ++++ b/src/afs/afs_disconnected.c +@@ -671,6 +671,7 @@ afs_ProcessOpCreate(struct vcache *avc, struct vrequest *areq, + tname = afs_osi_Alloc(AFSNAMEMAX); + if (!tname) + return ENOMEM; ++ memset(&InStatus, 0, sizeof(InStatus)); + + code = afs_GetParentVCache(avc, 0, &pdir_fid, tname, &tdp); + if (code) +diff --git a/src/afs/afs_segments.c b/src/afs/afs_segments.c +index 1ea3311..2dd89cf 100644 +--- a/src/afs/afs_segments.c ++++ b/src/afs/afs_segments.c +@@ -55,6 +55,7 @@ afs_StoreMini(struct vcache *avc, struct vrequest *areq) + tlen = avc->f.truncPos; + avc->f.truncPos = AFS_NOTRUNC; + avc->f.states &= ~CExtendedFile; ++ memset(&InStatus, 0, sizeof(InStatus)); + + do { + tc = afs_Conn(&avc->f.fid, areq, SHARED_LOCK, &rxconn); +diff --git a/src/libafscp/afscp_file.c b/src/libafscp/afscp_file.c +index c71f601..a3985e3 100644 +--- a/src/libafscp/afscp_file.c ++++ b/src/libafscp/afscp_file.c +@@ -124,6 +124,7 @@ afscp_PWrite(const struct afscp_venusfid * fid, const void *buffer, + off_t filesize; + time_t now; + ++ memset(&sst, 0, sizeof(sst)); + vol = afscp_VolumeById(fid->cell, fid->fid.Volume); + if (vol == NULL) { + afscp_errno = ENOENT; +diff --git a/src/venus/afsio.c b/src/venus/afsio.c +index de4f7f9..8959cd0 100644 +--- a/src/venus/afsio.c ++++ b/src/venus/afsio.c +@@ -858,6 +858,7 @@ writeFile(struct cmd_syndesc *as, void *unused) + /* stdin on Windows defaults to _O_TEXT mode */ + _setmode(0, _O_BINARY); + #endif ++ memset(&InStatus, 0, sizeof(InStatus)); + + CmdProlog(as, &cell, &realm, &fname, &sSynthLen); + afscp_AnonymousAuth(1); diff --git a/debian/patches/0017-OPENAFS-SA-2016-002-AFSStoreVolumeStatus-information.patch b/debian/patches/0017-OPENAFS-SA-2016-002-AFSStoreVolumeStatus-information.patch new file mode 100644 index 000000000..f5dffcc98 --- /dev/null +++ b/debian/patches/0017-OPENAFS-SA-2016-002-AFSStoreVolumeStatus-information.patch @@ -0,0 +1,34 @@ +From: Benjamin Kaduk +Date: Mon, 14 Mar 2016 23:15:20 -0500 +Subject: OPENAFS-SA-2016-002 AFSStoreVolumeStatus information leak + +The AFSStoreVolumeStatus structure is used as an input to the +RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls +which of the other fields will actually be read by the server +during the RPC processing. Unfortunately, the client only +wrote to the fields indicated by the mask, leaving the other +fields uninitialized for transmission on the wire, leaking +some contents of kernel memory. + +Plug the information leak by zeroing the entire structure before use. + +FIXES 132847 + +Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e +(cherry picked from commit 3ed975016290f916047fe2ac04303ee393e18a7a) +--- + src/afs/afs_pioctl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c +index d55a9d7..ed364a2 100644 +--- a/src/afs/afs_pioctl.c ++++ b/src/afs/afs_pioctl.c +@@ -2044,6 +2044,7 @@ DECL_PIOCTL(PSetVolumeStatus) + AFS_STATCNT(PSetVolumeStatus); + if (!avc) + return EINVAL; ++ memset(&storeStat, 0, sizeof(storeStat)); + + tvp = afs_GetVolume(&avc->f.fid, areq, READ_LOCK); + if (tvp) { diff --git a/debian/patches/0018-OPENAFS-SA-2016-002-VldbListByAttributes-information.patch b/debian/patches/0018-OPENAFS-SA-2016-002-VldbListByAttributes-information.patch new file mode 100644 index 000000000..b700863ba --- /dev/null +++ b/debian/patches/0018-OPENAFS-SA-2016-002-VldbListByAttributes-information.patch @@ -0,0 +1,83 @@ +From: Benjamin Kaduk +Date: Mon, 14 Mar 2016 23:15:20 -0500 +Subject: OPENAFS-SA-2016-002 VldbListByAttributes information leak + +The VldbListByAttributes structure is used as an input to several +RPCs; it contains a Mask field that controls +which of the other fields will actually be read by the server +during the RPC processing. Unfortunately, the client only +wrote to the fields indicated by the mask, leaving the other +fields uninitialized for transmission on the wire, leaking +some contents of client memory. + +Plug the information leak by zeroing the entire structure before use. + +FIXES 132847 + +Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e +(cherry picked from commit 5c4afd5558efcd54152d0be4d56c90e4c6860ef9) +--- + src/bucoord/commands.c | 1 + + src/libadmin/vos/vsprocs.c | 1 + + src/volser/vos.c | 4 ++-- + src/volser/vsprocs.c | 1 + + 4 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/bucoord/commands.c b/src/bucoord/commands.c +index a1c1385..531c3c5 100644 +--- a/src/bucoord/commands.c ++++ b/src/bucoord/commands.c +@@ -219,6 +219,7 @@ EvalVolumeSet2(struct bc_config *aconfig, + *avols = (struct bc_volumeDump *)0; + bulkentries.nbulkentries_len = 0; + bulkentries.nbulkentries_val = 0; ++ memset(&attributes, 0, sizeof(attributes)); + + /* For each of the volume set entries - collect the volumes that match it */ + for (tve = avs->ventries; tve; tve = tve->next) { +diff --git a/src/libadmin/vos/vsprocs.c b/src/libadmin/vos/vsprocs.c +index f314e01..be95938 100644 +--- a/src/libadmin/vos/vsprocs.c ++++ b/src/libadmin/vos/vsprocs.c +@@ -3626,6 +3626,7 @@ UV_SyncServer(afs_cell_handle_p cellHandle, struct rx_connection *server, + + noError = 1; + arrayEntries.nbulkentries_val = 0; ++ memset(&attributes, 0, sizeof(attributes)); + + /* Set up attributes to search VLDB */ + attributes.server = ntohl(rx_HostOf(rx_PeerOf(server))); +diff --git a/src/volser/vos.c b/src/volser/vos.c +index 77007e9..4d8e8fd 100644 +--- a/src/volser/vos.c ++++ b/src/volser/vos.c +@@ -4506,7 +4506,7 @@ ListVLDB(struct cmd_syndesc *as, void *arock) + aserver = 0; + apart = 0; + +- attributes.Mask = 0; ++ memset(&attributes, 0, sizeof(attributes)); + lock = (as->parms[3].items ? 1 : 0); /* -lock flag */ + quiet = (as->parms[4].items ? 1 : 0); /* -quit flag */ + sort = (as->parms[5].items ? 0 : 1); /* -nosort flag */ +@@ -5009,7 +5009,7 @@ UnlockVLDB(struct cmd_syndesc *as, void *arock) + + apart = -1; + totalE = 0; +- attributes.Mask = 0; ++ memset(&attributes, 0, sizeof(attributes)); + + if (as->parms[0].items) { /* server specified */ + aserver = GetServer(as->parms[0].items->data); +diff --git a/src/volser/vsprocs.c b/src/volser/vsprocs.c +index 3142119..4204c6f 100644 +--- a/src/volser/vsprocs.c ++++ b/src/volser/vsprocs.c +@@ -6982,6 +6982,7 @@ UV_SyncServer(afs_uint32 aserver, afs_int32 apart, int flags, int force) + aconn = UV_Bind(aserver, AFSCONF_VOLUMEPORT); + + /* Set up attributes to search VLDB */ ++ memset(&attributes, 0, sizeof(attributes)); + attributes.server = ntohl(aserver); + attributes.Mask = VLLIST_SERVER; + if ((flags & 1)) { diff --git a/debian/patches/0019-OPENAFS-SA-2016-002-ListAddrByAttributes-information.patch b/debian/patches/0019-OPENAFS-SA-2016-002-ListAddrByAttributes-information.patch new file mode 100644 index 000000000..a5964c595 --- /dev/null +++ b/debian/patches/0019-OPENAFS-SA-2016-002-ListAddrByAttributes-information.patch @@ -0,0 +1,67 @@ +From: Benjamin Kaduk +Date: Mon, 14 Mar 2016 23:15:20 -0500 +Subject: OPENAFS-SA-2016-002 ListAddrByAttributes information leak + +The ListAddrByAttributes structure is used as an input to the GetAddrsU +RPC; it contains a Mask field that controls which of the other fields +will actually be read by the server during the RPC processing. +Unfortunately, the client only wrote to the fields indicated by the +mask, leaving the other fields uninitialized for transmission on the +wire, leaking some contents of client memory. + +Plug the information leak by zeroing the entire structure before use. + +FIXES 132847 + +Change-Id: Ia7aaccd53db56c7359552b70113f9ae5edbd833e +(cherry picked from commit becf282ecf9bec3f266d4f8403c1e93d22ab455a) +--- + src/libadmin/vos/afs_vosAdmin.c | 1 + + src/venus/cacheout.c | 1 + + src/vlserver/vlclient.c | 2 ++ + 3 files changed, 4 insertions(+) + +diff --git a/src/libadmin/vos/afs_vosAdmin.c b/src/libadmin/vos/afs_vosAdmin.c +index d24dca4..1f326a0 100644 +--- a/src/libadmin/vos/afs_vosAdmin.c ++++ b/src/libadmin/vos/afs_vosAdmin.c +@@ -1200,6 +1200,7 @@ GetServerRPC(void *rpc_specific, int slot, int *last_item, + bulkaddrs addr_multi; + int i; + ++ memset(&m_attrs, 0, sizeof(m_attrs)); + /* + * Check to see if this is a multihomed address server + */ +diff --git a/src/venus/cacheout.c b/src/venus/cacheout.c +index 2a390ad..3d44fd9 100644 +--- a/src/venus/cacheout.c ++++ b/src/venus/cacheout.c +@@ -71,6 +71,7 @@ ListServers(void) + char hoststr[16]; + ListAddrByAttributes m_attrs; + ++ memset(&m_attrs, 0, sizeof(m_attrs)); + memset(&addrs, 0, sizeof(addrs)); + memset(&spare3, 0, sizeof(spare3)); + code = +diff --git a/src/vlserver/vlclient.c b/src/vlserver/vlclient.c +index c7bfa7e..b29c5d8 100644 +--- a/src/vlserver/vlclient.c ++++ b/src/vlserver/vlclient.c +@@ -824,6 +824,7 @@ handleit(struct cmd_syndesc *as, void *arock) + + printf("[0x%x %u] (special multi-homed entry)\n", + *addrp, *addrp); ++ memset(&attrs, 0, sizeof(attrs)); + attrs.Mask = VLADDR_INDEX; + mhaddrs.bulkaddrs_val = 0; + mhaddrs.bulkaddrs_len = 0; +@@ -899,6 +900,7 @@ handleit(struct cmd_syndesc *as, void *arock) + + addrs2.bulkaddrs_val = 0; + addrs2.bulkaddrs_len = 0; ++ memset(&attrs, 0, sizeof(attrs)); + attrs.Mask = VLADDR_INDEX; + attrs.index = (base * VL_MHSRV_PERBLK) + index; + code = diff --git a/debian/patches/series b/debian/patches/series index d68af127e..40a44bc2c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,3 +13,7 @@ 0013-afs-pioctl-kernel-memory-overrun.patch 0014-OPENAFS-SA-2016-001-group-creation-by-foreign-users.patch 0015-OPENAFS-SA-2017-001-rx-Sanity-check-received-MTU-and.patch +0016-OPENAFS-SA-2016-002-AFSStoreStatus-information-leak.patch +0017-OPENAFS-SA-2016-002-AFSStoreVolumeStatus-information.patch +0018-OPENAFS-SA-2016-002-VldbListByAttributes-information.patch +0019-OPENAFS-SA-2016-002-ListAddrByAttributes-information.patch