From 90cb77f975244c77ef929be723e5b871247cbe9d Mon Sep 17 00:00:00 2001
From: Benjamin Kaduk <kaduk@mit.edu>
Date: Sun, 13 Mar 2016 12:56:24 -0500
Subject: [PATCH] OPENAFS-SA-2016-002 AFSStoreStatus information leak

Marc Dionne reported that portions of the AFSStoreStatus structure
were not written to before being sent over the network for
operations such as create, symlink, etc., leaking the contents
of the kernel stack to observers.  Which fields in the request
are used are controlled by a flags field, and so if a field was
not going to be used by the server, it was sometimes left
uninitialized.

Fix the information leak by zeroing out the structure before use.

FIXES 132847

Change-Id: Iebcac04d1ff70df06d054ddb3b886ab422fb2a14
---
 src/WINNT/afsd/cm_dcache.c       | 1 +
 src/afs/VNOPS/afs_vnop_attrs.c   | 3 +++
 src/afs/VNOPS/afs_vnop_create.c  | 1 +
 src/afs/VNOPS/afs_vnop_dirops.c  | 1 +
 src/afs/VNOPS/afs_vnop_symlink.c | 1 +
 src/afs/afs_disconnected.c       | 1 +
 src/afs/afs_segments.c           | 1 +
 src/libafscp/afscp_file.c        | 1 +
 src/venus/afsio.c                | 1 +
 9 files changed, 11 insertions(+)

diff --git a/src/WINNT/afsd/cm_dcache.c b/src/WINNT/afsd/cm_dcache.c
index 031ce29f1..b65fe1c85 100644
--- a/src/WINNT/afsd/cm_dcache.c
+++ b/src/WINNT/afsd/cm_dcache.c
@@ -416,6 +416,7 @@ long cm_StoreMini(cm_scache_t *scp, cm_user_t *userp, cm_req_t *reqp)
     int call_was_64bit = 0;
 
     memset(&volSync, 0, sizeof(volSync));
+    memset(&inStatus, 0, sizeof(inStatus);
 
     osi_Log2(afsd_logp, "cm_StoreMini scp 0x%p userp 0x%p", scp, userp);
 
diff --git a/src/afs/VNOPS/afs_vnop_attrs.c b/src/afs/VNOPS/afs_vnop_attrs.c
index 2eb228fdf..2633db3cb 100644
--- a/src/afs/VNOPS/afs_vnop_attrs.c
+++ b/src/afs/VNOPS/afs_vnop_attrs.c
@@ -360,6 +360,7 @@ afs_VAttrToAS(struct vcache *avc, struct vattr *av,
 {
     int mask;
     mask = 0;
+
     AFS_STATCNT(afs_VAttrToAS);
 #if     defined(AFS_DARWIN80_ENV)
     if (VATTR_IS_ACTIVE(av, va_mode)) {
@@ -485,6 +486,8 @@ afs_setattr(OSI_VC_DECL(avc), struct vattr *attrs,
     if ((code = afs_CreateReq(&treq, acred)))
 	return code;
 
+    memset(&astat, 0, sizeof(astat));
+
     AFS_DISCON_LOCK();
 
     afs_InitFakeStat(&fakestate);
diff --git a/src/afs/VNOPS/afs_vnop_create.c b/src/afs/VNOPS/afs_vnop_create.c
index fc8701861..f33da9635 100644
--- a/src/afs/VNOPS/afs_vnop_create.c
+++ b/src/afs/VNOPS/afs_vnop_create.c
@@ -64,6 +64,7 @@ afs_create(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
 	goto done2;
diff --git a/src/afs/VNOPS/afs_vnop_dirops.c b/src/afs/VNOPS/afs_vnop_dirops.c
index 8b49a68a0..33455cb75 100644
--- a/src/afs/VNOPS/afs_vnop_dirops.c
+++ b/src/afs/VNOPS/afs_vnop_dirops.c
@@ -61,6 +61,7 @@ afs_mkdir(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
 	goto done2;
diff --git a/src/afs/VNOPS/afs_vnop_symlink.c b/src/afs/VNOPS/afs_vnop_symlink.c
index 993d5ac43..bd2263951 100644
--- a/src/afs/VNOPS/afs_vnop_symlink.c
+++ b/src/afs/VNOPS/afs_vnop_symlink.c
@@ -94,6 +94,7 @@ afs_symlink(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
 	goto done2;
diff --git a/src/afs/afs_disconnected.c b/src/afs/afs_disconnected.c
index 04107f0ab..cfd5d632c 100644
--- a/src/afs/afs_disconnected.c
+++ b/src/afs/afs_disconnected.c
@@ -671,6 +671,7 @@ afs_ProcessOpCreate(struct vcache *avc, struct vrequest *areq,
     tname = afs_osi_Alloc(AFSNAMEMAX);
     if (!tname)
 	return ENOMEM;
+    memset(&InStatus, 0, sizeof(InStatus));
 
     code = afs_GetParentVCache(avc, 0, &pdir_fid, tname, &tdp);
     if (code)
diff --git a/src/afs/afs_segments.c b/src/afs/afs_segments.c
index 1ea33118f..2dd89cf31 100644
--- a/src/afs/afs_segments.c
+++ b/src/afs/afs_segments.c
@@ -55,6 +55,7 @@ afs_StoreMini(struct vcache *avc, struct vrequest *areq)
 	tlen = avc->f.truncPos;
     avc->f.truncPos = AFS_NOTRUNC;
     avc->f.states &= ~CExtendedFile;
+    memset(&InStatus, 0, sizeof(InStatus));
 
     do {
 	tc = afs_Conn(&avc->f.fid, areq, SHARED_LOCK, &rxconn);
diff --git a/src/libafscp/afscp_file.c b/src/libafscp/afscp_file.c
index c71f60152..a3985e3b9 100644
--- a/src/libafscp/afscp_file.c
+++ b/src/libafscp/afscp_file.c
@@ -124,6 +124,7 @@ afscp_PWrite(const struct afscp_venusfid * fid, const void *buffer,
     off_t filesize;
     time_t now;
 
+    memset(&sst, 0, sizeof(sst));
     vol = afscp_VolumeById(fid->cell, fid->fid.Volume);
     if (vol == NULL) {
 	afscp_errno = ENOENT;
diff --git a/src/venus/afsio.c b/src/venus/afsio.c
index c6de1e3d5..409b39766 100644
--- a/src/venus/afsio.c
+++ b/src/venus/afsio.c
@@ -898,6 +898,7 @@ writeFile(struct cmd_syndesc *as, void *unused)
     /* stdin on Windows defaults to _O_TEXT mode */
     _setmode(0, _O_BINARY);
 #endif
+    memset(&InStatus, 0, sizeof(InStatus));
 
     CmdProlog(as, &cell, &realm, &fname, &sSynthLen);
     afscp_AnonymousAuth(1);
-- 
2.39.5