Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Sep 2024 14:46:17 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: ea44766b78d6 - main - ctl: fix memory disclosure in read/write buffer commands
Message-ID:  <202409041446.484EkH57000775@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=ea44766b78d639d3a89afd5302ec6feffaade813

commit ea44766b78d639d3a89afd5302ec6feffaade813
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 14:38:11 +0000

    ctl: fix memory disclosure in read/write buffer commands
    
    The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
    a kernel memory disclosure caused by an uninitialized kernel allocation.
    If one of these functions is called for the first time for a given LUN, a
    kernel allocation is performed without the M_ZERO flag. Then a call to
    ctl_read_buffer() returns the content of this allocation, which may
    contain kernel data.
    
    Reported by:    Synacktiv
    Reviewed by:    asomers
    Reviewed by:    jhb
    Security:       FreeBSD-SA-24:11.ctl
    Security:       CVE-2024-8178
    Security:       HYP-05
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D45952
---
 sys/cam/ctl/ctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c
index 2124903f4ac1..e58299951540 100644
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@@ -5586,7 +5586,7 @@ ctl_read_buffer(struct ctl_scsiio *ctsio)
 	} else {
 		if (lun->write_buffer == NULL) {
 			lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
-			    M_CTL, M_WAITOK);
+			    M_CTL, M_WAITOK | M_ZERO);
 		}
 		ctsio->kern_data_ptr = lun->write_buffer + buffer_offset;
 	}
@@ -5627,7 +5627,7 @@ ctl_write_buffer(struct ctl_scsiio *ctsio)
 
 	if (lun->write_buffer == NULL) {
 		lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
-		    M_CTL, M_WAITOK);
+			    M_CTL, M_WAITOK | M_ZERO);
 	}
 
 	/*

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409041446.484EkH57000775>