[Devel,RH7,2/5] ploop: don't leak ploop_freeblks_ctl_extent

Submitted by Dmitry Safonov on Sept. 28, 2016, 2:05 p.m.


Message ID 20160928140513.2518-3-dsafonov@virtuozzo.com
State New
Series "Fix leaks, found by audit"
Headers show

Commit Message

Dmitry Safonov Sept. 28, 2016, 2:05 p.m.
Found by Solar Designer during vz7 audit:
> drivers/block/ploop/freeblks.c: ploop_fb_copy_freeblks_to_user()
> currently appears to leak 4 bytes of uninitialized padding to
> userspace as part of "cext".  This is because of this function's
> selective initialization of "cext", combined with
> "struct ploop_freeblks_ctl_extent" having a definition that results
> in inclusion of 4 bytes of padding in sizeof(cext).
> Security impact is limited by ploop_ioctl() being limited to
> ve_is_super().  We have not determined if any security impact remains.


Cc: Maxim Patlasov <mpatlasov@virtuozzo.com>
Signed-off-by: Dmitry Safonov <dsafonov@virtuozzo.com>
 drivers/block/ploop/freeblks.c | 1 +
 1 file changed, 1 insertion(+)

Patch hide | download patch | download mbox

diff --git a/drivers/block/ploop/freeblks.c b/drivers/block/ploop/freeblks.c
index 5b21acf66dc5..a74a22d960b2 100644
--- a/drivers/block/ploop/freeblks.c
+++ b/drivers/block/ploop/freeblks.c
@@ -216,6 +216,7 @@  int ploop_fb_copy_freeblks_to_user(struct ploop_freeblks_desc *fbd, void *arg,
 	struct ploop_freeblks_extent	 *fextent;
 	struct ploop_freeblks_ctl_extent  cext;
+	memset(&cext, 0, sizeof(cext));
 	list_for_each_entry(fextent, &fbd->fbd_free_list, list)
 		if (ctl->n_extents) {
 			int off = offsetof(struct ploop_freeblks_ctl,