[Devel] [PATCH RHEL7 COMMIT] ploop: prevent disclosure 4 bytes of the stack kernel

Konstantin Khorenko khorenko at odin.com
Mon May 18 21:26:57 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.1
------>
commit c25ed54c1a19bc8c11fcc472c3e4869c210eca97
Author: Andrey Smetanin <asmetanin at virtuozzo.com>
Date:   Tue May 19 08:26:57 2015 +0400

    ploop: prevent disclosure 4 bytes of the stack kernel
    
         Memory leak (4 bytes) in the ploop_getdevice_ioc function.
    
              217401 +static int ploop_getdevice_ioc(unsigned long arg)
              217402 +{
              217403 +       int err;
              217404 +       int index = 0;
              217405 +       struct rb_node *n;
              217406 +       struct ploop_getdevice_ctl ctl;
              217407 +
              217408 +       mutex_lock(&ploop_devices_mutex);
              217409 +       for (n = rb_first(&ploop_devices_tree); n; n = rb_next(n), index++) {
              217410 +               struct ploop_device *plo;
              217411 +               plo = rb_entry(n, struct ploop_device, link);
              217412 +               if (plo->index != index || list_empty(&plo->map.delta_list))
              217413 +                       break;
              217414 +       }
              217415 +       mutex_unlock(&ploop_devices_mutex);
              217416 +
              217417 +       ctl.minor = index << PLOOP_PART_SHIFT;
              217418 +       if (ctl.minor & ~MINORMASK)
              217419 +               return -ERANGE;
              217420 +       err = copy_to_user((void*)arg, &ctl, sizeof(ctl));
              217421 +       return err;
              217422 +}
    
         The ploop_getdevice_ioc() function copy to user the
    ploop_getdevice_ctl structure but it initialize juste the 'minor'
    attribute. It's possible to disclosure 4 bytes of the stack kernel via
    the '__mbz1' attribute.
    
         Below the 'ploop_getdevice_ctl' structure :
    
             3772915 +struct ploop_getdevice_ctl
             3772916 +{
             3772917 +       __u32   minor;
             3772918 +       __u32   __mbz1;
             3772919 +} __attribute__ ((aligned (8)));
    
    Signed-off-by: Andrey Vagin <avagin at openvz.org>
    
    Reported-by: Jonathan Salwan (Sysdream Security Laboratory) <jonathan.salwan at gmail.com>
---
 drivers/block/ploop/dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/ploop/dev.c b/drivers/block/ploop/dev.c
index 2f4928d..8556af2 100644
--- a/drivers/block/ploop/dev.c
+++ b/drivers/block/ploop/dev.c
@@ -4277,7 +4277,7 @@ static int ploop_getdevice_ioc(unsigned long arg)
 	int err;
 	int index = 0;
 	struct rb_node *n;
-	struct ploop_getdevice_ctl ctl;
+	struct ploop_getdevice_ctl ctl = {};
 
 	mutex_lock(&ploop_devices_mutex);
 	for (n = rb_first(&ploop_devices_tree); n; n = rb_next(n), index++) {

More information about the Devel mailing list