OPENAFS-SA-2016-002 AFSStoreStatus information leak

Marc Dionne reported that portions of the AFSStoreStatus structure
were not written to before being sent over the network for
operations such as create, symlink, etc., leaking the contents
of the kernel stack to observers.  Which fields in the request
are used are controlled by a flags field, and so if a field was
not going to be used by the server, it was sometimes left
uninitialized.

Fix the information leak by zeroing out the structure before use.

FIXES 132847

Change-Id: Iebcac04d1ff70df06d054ddb3b886ab422fb2a14

src/WINNT/afsd/cm_dcache.c

@@ -416,6 +416,7 @@ long cm_StoreMini(cm_scache_t *scp, cm_user_t *userp, cm_req_t *reqp)
     int call_was_64bit = 0;
 
     memset(&volSync, 0, sizeof(volSync));
+    memset(&inStatus, 0, sizeof(inStatus);
 
     osi_Log2(afsd_logp, "cm_StoreMini scp 0x%p userp 0x%p", scp, userp);
 

src/afs/VNOPS/afs_vnop_attrs.c

@@ -360,6 +360,7 @@ afs_VAttrToAS(struct vcache *avc, struct vattr *av,
 {
     int mask;
     mask = 0;
+
     AFS_STATCNT(afs_VAttrToAS);
 #if     defined(AFS_DARWIN80_ENV)
     if (VATTR_IS_ACTIVE(av, va_mode)) {
@@ -485,6 +486,8 @@ afs_setattr(OSI_VC_DECL(avc), struct vattr *attrs,
     if ((code = afs_CreateReq(&treq, acred)))
 	return code;
 
+    memset(&astat, 0, sizeof(astat));
+
     AFS_DISCON_LOCK();
 
     afs_InitFakeStat(&fakestate);

src/afs/VNOPS/afs_vnop_create.c

@@ -64,6 +64,7 @@ afs_create(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
 	goto done2;

src/afs/VNOPS/afs_vnop_dirops.c

@@ -61,6 +61,7 @@ afs_mkdir(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
 	goto done2;

src/afs/VNOPS/afs_vnop_symlink.c

@@ -94,6 +94,7 @@ afs_symlink(OSI_VC_DECL(adp), char *aname, struct vattr *attrs,
 
     OutFidStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
     OutDirStatus = osi_AllocSmallSpace(sizeof(struct AFSFetchStatus));
+    memset(&InStatus, 0, sizeof(InStatus));
 
     if ((code = afs_CreateReq(&treq, acred)))
 	goto done2;

src/afs/afs_disconnected.c

@@ -671,6 +671,7 @@ afs_ProcessOpCreate(struct vcache *avc, struct vrequest *areq,
     tname = afs_osi_Alloc(AFSNAMEMAX);
     if (!tname)
 	return ENOMEM;
+    memset(&InStatus, 0, sizeof(InStatus));
 
     code = afs_GetParentVCache(avc, 0, &pdir_fid, tname, &tdp);
     if (code)

src/afs/afs_segments.c

@@ -55,6 +55,7 @@ afs_StoreMini(struct vcache *avc, struct vrequest *areq)
 	tlen = avc->f.truncPos;
     avc->f.truncPos = AFS_NOTRUNC;
     avc->f.states &= ~CExtendedFile;
+    memset(&InStatus, 0, sizeof(InStatus));
 
     do {
 	tc = afs_Conn(&avc->f.fid, areq, SHARED_LOCK, &rxconn);

src/libafscp/afscp_file.c

@@ -124,6 +124,7 @@ afscp_PWrite(const struct afscp_venusfid * fid, const void *buffer,
     off_t filesize;
     time_t now;
 
+    memset(&sst, 0, sizeof(sst));
     vol = afscp_VolumeById(fid->cell, fid->fid.Volume);
     if (vol == NULL) {
 	afscp_errno = ENOENT;

src/venus/afsio.c

@@ -898,6 +898,7 @@ writeFile(struct cmd_syndesc *as, void *unused)
     /* stdin on Windows defaults to _O_TEXT mode */
     _setmode(0, _O_BINARY);
 #endif
+    memset(&InStatus, 0, sizeof(InStatus));
 
     CmdProlog(as, &cell, &realm, &fname, &sSynthLen);
     afscp_AnonymousAuth(1);