OPENAFS-SA-2016-002 AFSStoreVolumeStatus information leak

The AFSStoreVolumeStatus structure is used as an input to the RXAFS_SetVolumeStatus RPC; it contains a Mask field that controls which of the other fields will actually be read by the server during the RPC processing. Unfortunately, the client only wrote to the fields indicated by the mask, leaving the other fields uninitialized for transmission on the wire, leaking some contents of kernel memory. Plug the information leak by zeroing the entire structure before use. FIXES 132847 Change-Id: Ib309e6b00b95bc4178740352899d7f940f2eb1ea
2025-01-18 23:10:58 +00:00 · 2016-03-14 23:15:20 -05:00 · 2016-03-14 23:15:20 -05:00 · 67646c7c90
commit 67646c7c90
parent b85c5f9339
2 changed files with 2 additions and 0 deletions
--- a/src/WINNT/afsd/cm_ioctl.c
+++ b/src/WINNT/afsd/cm_ioctl.c
@ -652,6 +652,7 @@ cm_IoctlSetVolumeStatus(struct cm_ioctl *ioctlp, struct cm_user *userp, cm_scach
    clientchar_t *strp;
    struct rx_connection * rxconnp;

+    memset(&storeStat, 0, sizeof(storeStat));
 #ifdef AFS_FREELANCE_CLIENT
    if ( scp->fid.cell == AFS_FAKE_ROOT_CELL_ID && scp->fid.volume == AFS_FAKE_ROOT_VOL_ID ) {
 	code = CM_ERROR_NOACCESS;
--- a/src/afs/afs_pioctl.c
+++ b/src/afs/afs_pioctl.c
@ -2074,6 +2074,7 @@ DECL_PIOCTL(PSetVolumeStatus)
    AFS_STATCNT(PSetVolumeStatus);
    if (!avc)
 	return EINVAL;
+    memset(&storeStat, 0, sizeof(storeStat));

    tvp = afs_GetVolume(&avc->f.fid, areq, READ_LOCK);
    if (tvp) {