[Devel] [PATCH RH7 2/5] ploop: don't leak ploop_freeblks_ctl_extent
Dmitry Safonov
dsafonov at virtuozzo.com
Wed Sep 28 07:05:10 PDT 2016
Found by Solar Designer during vz7 audit:
> drivers/block/ploop/freeblks.c: ploop_fb_copy_freeblks_to_user()
> currently appears to leak 4 bytes of uninitialized padding to
> userspace as part of "cext". This is because of this function's
> selective initialization of "cext", combined with
> "struct ploop_freeblks_ctl_extent" having a definition that results
> in inclusion of 4 bytes of padding in sizeof(cext).
> Security impact is limited by ploop_ioctl() being limited to
> ve_is_super(). We have not determined if any security impact remains.
https://jira.sw.ru/browse/PSBM-51362
Cc: Maxim Patlasov <mpatlasov at virtuozzo.com>
Signed-off-by: Dmitry Safonov <dsafonov at virtuozzo.com>
---
drivers/block/ploop/freeblks.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/block/ploop/freeblks.c b/drivers/block/ploop/freeblks.c
index 5b21acf66dc5..a74a22d960b2 100644
--- a/drivers/block/ploop/freeblks.c
+++ b/drivers/block/ploop/freeblks.c
@@ -216,6 +216,7 @@ int ploop_fb_copy_freeblks_to_user(struct ploop_freeblks_desc *fbd, void *arg,
struct ploop_freeblks_extent *fextent;
struct ploop_freeblks_ctl_extent cext;
+ memset(&cext, 0, sizeof(cext));
list_for_each_entry(fextent, &fbd->fbd_free_list, list)
if (ctl->n_extents) {
int off = offsetof(struct ploop_freeblks_ctl,
--
2.10.0
More information about the Devel
mailing list