[Devel] [PATCH RH7 1/5] cbt: don't leak ce_reserved64 in cbt_ito userspace

[Dmitry Safonov]

Found by Solar Designer during vz7 audit:
> block/blk-cbt.c: cbt_ioc_get() invoked on the BLKCBTGET ioctl
> uses copy_to_user() on "u_ex", a "struct blk_user_cbt_extent",
> after initializing only the ce_physical and ce_length fields,
> but not the ce_reserved64 field.
> The uninitialized field (as well as any fields or/and padding
> that might be added in future versions) may leak kernel data to userspace.
> Security impact, if any, depends on whether the ioctl is reachable by
> not-fully-trusted (host?) users in any reasonable setup, which hasn't
> been determined.

Used memset instead of simple
> u_ex.ce_reserved64[0] = 0ULL;
for any possible future paddings/new fields/UAPI changes.
Quite arguable.

https://jira.sw.ru/browse/PSBM-51361

Cc: Dmitry Monakhov <dmonakhov at openvz.org>
Signed-off-by: Dmitry Safonov <dsafonov at virtuozzo.com>
---
 block/blk-cbt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/block/blk-cbt.c b/block/blk-cbt.c
index cacd3201021b..5a54a51748f8 100644
--- a/block/blk-cbt.c
+++ b/block/blk-cbt.c
@@ -707,6 +707,7 @@ static int cbt_ioc_get(struct block_device *bdev, struct blk_user_cbt_info __use
 	if (end > cbt->block_max)
 		end = cbt->block_max;
 
+	memset(&u_ex, 0, sizeof(u_ex));
 	while (ci.ci_mapped_extents < ci.ci_extent_count) {
 		cbt_find_next_extent(cbt, block, &ex);
 		if (!ex.len || ex.start > end) {
-- 
2.10.0