[Devel,RH7,1/5] cbt: don't leak ce_reserved64 in cbt_ito userspace

Submitted by Dmitry Safonov on Sept. 28, 2016, 2:05 p.m.


Message ID 20160928140513.2518-2-dsafonov@virtuozzo.com
State New
Series "Fix leaks, found by audit"
Headers show

Commit Message

Dmitry Safonov Sept. 28, 2016, 2:05 p.m.
Found by Solar Designer during vz7 audit:
> block/blk-cbt.c: cbt_ioc_get() invoked on the BLKCBTGET ioctl
> uses copy_to_user() on "u_ex", a "struct blk_user_cbt_extent",
> after initializing only the ce_physical and ce_length fields,
> but not the ce_reserved64 field.
> The uninitialized field (as well as any fields or/and padding
> that might be added in future versions) may leak kernel data to userspace.
> Security impact, if any, depends on whether the ioctl is reachable by
> not-fully-trusted (host?) users in any reasonable setup, which hasn't
> been determined.

Used memset instead of simple
> u_ex.ce_reserved64[0] = 0ULL;
for any possible future paddings/new fields/UAPI changes.
Quite arguable.


Cc: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
 block/blk-cbt.c | 1 +
 1 file changed, 1 insertion(+)

Patch hide | download patch | download mbox

diff --git a/block/blk-cbt.c b/block/blk-cbt.c
index cacd3201021b..5a54a51748f8 100644
--- a/block/blk-cbt.c
+++ b/block/blk-cbt.c
@@ -707,6 +707,7 @@  static int cbt_ioc_get(struct block_device *bdev, struct blk_user_cbt_info __use
 	if (end > cbt->block_max)
 		end = cbt->block_max;
+	memset(&u_ex, 0, sizeof(u_ex));
 	while (ci.ci_mapped_extents < ci.ci_extent_count) {
 		cbt_find_next_extent(cbt, block, &ex);
 		if (!ex.len || ex.start > end) {