Date: Wed, 4 Sep 2024 15:53:52 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: b13631a59f2a - stable/13 - ctl: fix memory disclosure in read/write buffer commands Message-ID: <202409041553.484FrqCQ019806@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=b13631a59f2a303418c0f3f298b33f2a51fa59a7 commit b13631a59f2a303418c0f3f298b33f2a51fa59a7 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2024-09-04 14:38:11 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-09-04 15:52:06 +0000 ctl: fix memory disclosure in read/write buffer commands The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to a kernel memory disclosure caused by an uninitialized kernel allocation. If one of these functions is called for the first time for a given LUN, a kernel allocation is performed without the M_ZERO flag. Then a call to ctl_read_buffer() returns the content of this allocation, which may contain kernel data. Reported by: Synacktiv Reviewed by: asomers Reviewed by: jhb Security: FreeBSD-SA-24:11.ctl Security: CVE-2024-8178 Security: HYP-05 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45952 (cherry picked from commit ea44766b78d639d3a89afd5302ec6feffaade813) (cherry picked from commit cdfdb3b0086268cdc365174ebfb69e66b5dde0b5) --- sys/cam/ctl/ctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index 5635246845b9..f9fec62249cb 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -5633,7 +5633,7 @@ ctl_read_buffer(struct ctl_scsiio *ctsio) } else { if (lun->write_buffer == NULL) { lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE, - M_CTL, M_WAITOK); + M_CTL, M_WAITOK | M_ZERO); } ctsio->kern_data_ptr = lun->write_buffer + buffer_offset; } @@ -5674,7 +5674,7 @@ ctl_write_buffer(struct ctl_scsiio *ctsio) if (lun->write_buffer == NULL) { lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE, - M_CTL, M_WAITOK); + M_CTL, M_WAITOK | M_ZERO); } /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409041553.484FrqCQ019806>