git: 235b93d39d71 - releng/14.1 - ctl: fix memory disclosure in read/write buffer commands
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 04 Sep 2024 21:07:31 UTC
The branch releng/14.1 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=235b93d39d71860983b15ce8ad63f0a939cd1be9 commit 235b93d39d71860983b15ce8ad63f0a939cd1be9 Author: Pierre Pronchery <pierre@freebsdfoundation.org> AuthorDate: 2024-09-04 14:38:11 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-09-04 20:46:54 +0000 ctl: fix memory disclosure in read/write buffer commands The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to a kernel memory disclosure caused by an uninitialized kernel allocation. If one of these functions is called for the first time for a given LUN, a kernel allocation is performed without the M_ZERO flag. Then a call to ctl_read_buffer() returns the content of this allocation, which may contain kernel data. Reported by: Synacktiv Reviewed by: asomers Reviewed by: jhb Security: FreeBSD-SA-24:11.ctl Security: CVE-2024-8178 Security: HYP-05 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45952 (cherry picked from commit ea44766b78d639d3a89afd5302ec6feffaade813) (cherry picked from commit cdfdb3b0086268cdc365174ebfb69e66b5dde0b5) Approved by: so --- sys/cam/ctl/ctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index 7fb38c794a4c..9752ca93d36c 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -5634,7 +5634,7 @@ ctl_read_buffer(struct ctl_scsiio *ctsio) } else { if (lun->write_buffer == NULL) { lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE, - M_CTL, M_WAITOK); + M_CTL, M_WAITOK | M_ZERO); } ctsio->kern_data_ptr = lun->write_buffer + buffer_offset; } @@ -5675,7 +5675,7 @@ ctl_write_buffer(struct ctl_scsiio *ctsio) if (lun->write_buffer == NULL) { lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE, - M_CTL, M_WAITOK); + M_CTL, M_WAITOK | M_ZERO); } /*