diff options
| author | Pierre Pronchery <pierre@freebsdfoundation.org> | 2024-09-04 14:38:11 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2024-09-04 20:46:54 +0000 |
| commit | 235b93d39d71860983b15ce8ad63f0a939cd1be9 (patch) | |
| tree | f2f693fcb31df9c2e8befd08a40a0ae16220c599 | |
| parent | 31d839d66e8a10693e791696ea4bfd93ec1feb34 (diff) | |
ctl: fix memory disclosure in read/write buffer commands
The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
a kernel memory disclosure caused by an uninitialized kernel allocation.
If one of these functions is called for the first time for a given LUN, a
kernel allocation is performed without the M_ZERO flag. Then a call to
ctl_read_buffer() returns the content of this allocation, which may
contain kernel data.
Reported by: Synacktiv
Reviewed by: asomers
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-8178
Security: HYP-05
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45952
(cherry picked from commit ea44766b78d639d3a89afd5302ec6feffaade813)
(cherry picked from commit cdfdb3b0086268cdc365174ebfb69e66b5dde0b5)
Approved by: so
| -rw-r--r-- | sys/cam/ctl/ctl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c index 7fb38c794a4c..9752ca93d36c 100644 --- a/sys/cam/ctl/ctl.c +++ b/sys/cam/ctl/ctl.c @@ -5634,7 +5634,7 @@ ctl_read_buffer(struct ctl_scsiio *ctsio) } else { if (lun->write_buffer == NULL) { lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE, - M_CTL, M_WAITOK); + M_CTL, M_WAITOK | M_ZERO); } ctsio->kern_data_ptr = lun->write_buffer + buffer_offset; } @@ -5675,7 +5675,7 @@ ctl_write_buffer(struct ctl_scsiio *ctsio) if (lun->write_buffer == NULL) { lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE, - M_CTL, M_WAITOK); + M_CTL, M_WAITOK | M_ZERO); } /* |