Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Sep 2024 15:53:52 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: b13631a59f2a - stable/13 - ctl: fix memory disclosure in read/write buffer commands
Message-ID:  <202409041553.484FrqCQ019806@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=b13631a59f2a303418c0f3f298b33f2a51fa59a7

commit b13631a59f2a303418c0f3f298b33f2a51fa59a7
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 15:52:06 +0000

    ctl: fix memory disclosure in read/write buffer commands
    
    The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
    a kernel memory disclosure caused by an uninitialized kernel allocation.
    If one of these functions is called for the first time for a given LUN, a
    kernel allocation is performed without the M_ZERO flag. Then a call to
    ctl_read_buffer() returns the content of this allocation, which may
    contain kernel data.
    
    Reported by:    Synacktiv
    Reviewed by:    asomers
    Reviewed by:    jhb
    Security:       FreeBSD-SA-24:11.ctl
    Security:       CVE-2024-8178
    Security:       HYP-05
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D45952
    
    (cherry picked from commit ea44766b78d639d3a89afd5302ec6feffaade813)
    (cherry picked from commit cdfdb3b0086268cdc365174ebfb69e66b5dde0b5)
---
 sys/cam/ctl/ctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c
index 5635246845b9..f9fec62249cb 100644
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@@ -5633,7 +5633,7 @@ ctl_read_buffer(struct ctl_scsiio *ctsio)
 	} else {
 		if (lun->write_buffer == NULL) {
 			lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
-			    M_CTL, M_WAITOK);
+			    M_CTL, M_WAITOK | M_ZERO);
 		}
 		ctsio->kern_data_ptr = lun->write_buffer + buffer_offset;
 	}
@@ -5674,7 +5674,7 @@ ctl_write_buffer(struct ctl_scsiio *ctsio)
 
 	if (lun->write_buffer == NULL) {
 		lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
-		    M_CTL, M_WAITOK);
+			    M_CTL, M_WAITOK | M_ZERO);
 	}
 
 	/*



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409041553.484FrqCQ019806>