git: cdfdb3b00862 - stable/14 - ctl: fix memory disclosure in read/write buffer commands

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Wed, 04 Sep 2024 15:51:06 UTC
The branch stable/14 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=cdfdb3b0086268cdc365174ebfb69e66b5dde0b5

commit cdfdb3b0086268cdc365174ebfb69e66b5dde0b5
Author:     Pierre Pronchery <pierre@freebsdfoundation.org>
AuthorDate: 2024-09-04 14:38:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-09-04 14:59:52 +0000

    ctl: fix memory disclosure in read/write buffer commands
    
    The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
    a kernel memory disclosure caused by an uninitialized kernel allocation.
    If one of these functions is called for the first time for a given LUN, a
    kernel allocation is performed without the M_ZERO flag. Then a call to
    ctl_read_buffer() returns the content of this allocation, which may
    contain kernel data.
    
    Reported by:    Synacktiv
    Reviewed by:    asomers
    Reviewed by:    jhb
    Security:       FreeBSD-SA-24:11.ctl
    Security:       CVE-2024-8178
    Security:       HYP-05
    Sponsored by:   The Alpha-Omega Project
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D45952
    
    (cherry picked from commit ea44766b78d639d3a89afd5302ec6feffaade813)
---
 sys/cam/ctl/ctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c
index b449e05889ec..b9013e84ef83 100644
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@@ -5634,7 +5634,7 @@ ctl_read_buffer(struct ctl_scsiio *ctsio)
 	} else {
 		if (lun->write_buffer == NULL) {
 			lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
-			    M_CTL, M_WAITOK);
+			    M_CTL, M_WAITOK | M_ZERO);
 		}
 		ctsio->kern_data_ptr = lun->write_buffer + buffer_offset;
 	}
@@ -5675,7 +5675,7 @@ ctl_write_buffer(struct ctl_scsiio *ctsio)
 
 	if (lun->write_buffer == NULL) {
 		lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
-		    M_CTL, M_WAITOK);
+			    M_CTL, M_WAITOK | M_ZERO);
 	}
 
 	/*