The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-123.1.2.vz7.5.1 ------> commit c25ed54c1a19bc8c11fcc472c3e4869c210eca97 Author: Andrey Smetanin <asmeta...@virtuozzo.com> Date: Tue May 19 08:26:57 2015 +0400
ploop: prevent disclosure 4 bytes of the stack kernel Memory leak (4 bytes) in the ploop_getdevice_ioc function. 217401 +static int ploop_getdevice_ioc(unsigned long arg) 217402 +{ 217403 + int err; 217404 + int index = 0; 217405 + struct rb_node *n; 217406 + struct ploop_getdevice_ctl ctl; 217407 + 217408 + mutex_lock(&ploop_devices_mutex); 217409 + for (n = rb_first(&ploop_devices_tree); n; n = rb_next(n), index++) { 217410 + struct ploop_device *plo; 217411 + plo = rb_entry(n, struct ploop_device, link); 217412 + if (plo->index != index || list_empty(&plo->map.delta_list)) 217413 + break; 217414 + } 217415 + mutex_unlock(&ploop_devices_mutex); 217416 + 217417 + ctl.minor = index << PLOOP_PART_SHIFT; 217418 + if (ctl.minor & ~MINORMASK) 217419 + return -ERANGE; 217420 + err = copy_to_user((void*)arg, &ctl, sizeof(ctl)); 217421 + return err; 217422 +} The ploop_getdevice_ioc() function copy to user the ploop_getdevice_ctl structure but it initialize juste the 'minor' attribute. It's possible to disclosure 4 bytes of the stack kernel via the '__mbz1' attribute. Below the 'ploop_getdevice_ctl' structure : 3772915 +struct ploop_getdevice_ctl 3772916 +{ 3772917 + __u32 minor; 3772918 + __u32 __mbz1; 3772919 +} __attribute__ ((aligned (8))); Signed-off-by: Andrey Vagin <ava...@openvz.org> Reported-by: Jonathan Salwan (Sysdream Security Laboratory) <jonathan.sal...@gmail.com> --- drivers/block/ploop/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/block/ploop/dev.c b/drivers/block/ploop/dev.c index 2f4928d..8556af2 100644 --- a/drivers/block/ploop/dev.c +++ b/drivers/block/ploop/dev.c @@ -4277,7 +4277,7 @@ static int ploop_getdevice_ioc(unsigned long arg) int err; int index = 0; struct rb_node *n; - struct ploop_getdevice_ctl ctl; + struct ploop_getdevice_ctl ctl = {}; mutex_lock(&ploop_devices_mutex); for (n = rb_first(&ploop_devices_tree); n; n = rb_next(n), index++) { _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel