[Devel] [PATCH rh7 05/38] ploop: prevent disclosure 4 bytes of the stack kernel

Andrey Smetanin asmetanin at virtuozzo.com
Fri May 15 09:48:06 PDT 2015 

     Memory leak (4 bytes) in the ploop_getdevice_ioc function.

          217401 +static int ploop_getdevice_ioc(unsigned long arg)
          217402 +{
          217403 +       int err;
          217404 +       int index = 0;
          217405 +       struct rb_node *n;
          217406 +       struct ploop_getdevice_ctl ctl;
          217407 +
          217408 +       mutex_lock(&ploop_devices_mutex);
          217409 +       for (n = rb_first(&ploop_devices_tree); n; n = rb_next(n), index++) {
          217410 +               struct ploop_device *plo;
          217411 +               plo = rb_entry(n, struct ploop_device, link);
          217412 +               if (plo->index != index || list_empty(&plo->map.delta_list))
          217413 +                       break;
          217414 +       }
          217415 +       mutex_unlock(&ploop_devices_mutex);
          217416 +
          217417 +       ctl.minor = index << PLOOP_PART_SHIFT;
          217418 +       if (ctl.minor & ~MINORMASK)
          217419 +               return -ERANGE;
          217420 +       err = copy_to_user((void*)arg, &ctl, sizeof(ctl));
          217421 +       return err;
          217422 +}

     The ploop_getdevice_ioc() function copy to user the
ploop_getdevice_ctl structure but it initialize juste the 'minor'
attribute. It's possible to disclosure 4 bytes of the stack kernel via
the '__mbz1' attribute.

     Below the 'ploop_getdevice_ctl' structure :

         3772915 +struct ploop_getdevice_ctl
         3772916 +{
         3772917 +       __u32   minor;
         3772918 +       __u32   __mbz1;
         3772919 +} __attribute__ ((aligned (8)));

Signed-off-by: Andrey Vagin <avagin at openvz.org>
Reported-by: Jonathan Salwan (Sysdream Security Laboratory) <jonathan.salwan at gmail.com>
---
 drivers/block/ploop/dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/ploop/dev.c b/drivers/block/ploop/dev.c
index 2f4928d..8556af2 100644
--- a/drivers/block/ploop/dev.c
+++ b/drivers/block/ploop/dev.c
@@ -4277,7 +4277,7 @@ static int ploop_getdevice_ioc(unsigned long arg)
 	int err;
 	int index = 0;
 	struct rb_node *n;
-	struct ploop_getdevice_ctl ctl;
+	struct ploop_getdevice_ctl ctl = {};
 
 	mutex_lock(&ploop_devices_mutex);
 	for (n = rb_first(&ploop_devices_tree); n; n = rb_next(n), index++) {
-- 
1.9.3

More information about the Devel mailing list