[Devel] [PATCH RH7 3/5] fs/quota: don't leak compat quotsctl structs

[Dmitry Safonov]

Found by Solar Designer during vz7 audit:
> fs/quota/quota.c: compat_quotactl() may leak kernel data to userspace
> through incomplete per-field initialization of "struct compat_dqblk cdq"
> and "struct compat_dqinfo cinf", respectively, prior to copy_to_user().

https://jira.sw.ru/browse/PSBM-51366

Cc: Maxim Patlasov <mpatlasov at virtuozzo.com>
Signed-off-by: Dmitry Safonov <dsafonov at virtuozzo.com>
---
 fs/quota/quota.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/fs/quota/quota.c b/fs/quota/quota.c
index 9f1d9c401cfa..0302c437da17 100644
--- a/fs/quota/quota.c
+++ b/fs/quota/quota.c
@@ -445,6 +445,7 @@ static long compat_quotactl(unsigned int cmds, unsigned int type,
 			copy_to_if_dqblk(&idq, &fdq);
 			if (ret)
 				break;
+			memset(&cdq, 0, sizeof(cdq));
 			cdq.dqb_ihardlimit = fdq.d_ino_hardlimit;
 			cdq.dqb_isoftlimit = fdq.d_ino_softlimit;
 			cdq.dqb_curinodes = fdq.d_icount;
@@ -511,14 +512,12 @@ static long compat_quotactl(unsigned int cmds, unsigned int type,
 			ret = sb->s_qcop->get_info(sb, type, &iinf);
 			if (ret)
 				break;
+
+			memset(&cinf, 0, sizeof(cinf));
 			cinf.dqi_bgrace = iinf.dqi_bgrace;
 			cinf.dqi_igrace = iinf.dqi_igrace;
-			cinf.dqi_flags = 0;
 			if (iinf.dqi_flags & DQF_INFO_DIRTY)
 				cinf.dqi_flags |= 0x0010;
-			cinf.dqi_blocks = 0;
-			cinf.dqi_free_blk = 0;
-			cinf.dqi_free_entry = 0;
 			ret = 0;
 			if (copy_to_user(addr, &cinf, sizeof(cinf)))
 				ret = -EFAULT;
-- 
2.10.0