HomeFreeBSD

ctl: fix memory disclosure in read/write buffer commands

Description

ctl: fix memory disclosure in read/write buffer commands

The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to
a kernel memory disclosure caused by an uninitialized kernel allocation.
If one of these functions is called for the first time for a given LUN, a
kernel allocation is performed without the M_ZERO flag. Then a call to
ctl_read_buffer() returns the content of this allocation, which may
contain kernel data.

Reported by: Synacktiv
Reviewed by: asomers
Reviewed by: jhb
Security: FreeBSD-SA-24:11.ctl
Security: CVE-2024-8178
Security: HYP-05
Sponsored by: The Alpha-Omega Project
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45952

(cherry picked from commit ea44766b78d639d3a89afd5302ec6feffaade813)

Details

Provenance
khorben_defora.orgAuthored on Sep 4 2024, 2:38 PM
emasteCommitted on Sep 4 2024, 2:59 PM
Reviewer
asomers
Differential Revision
Restricted Differential Revision
Parents
rG29937d7a1a0a: ctl: fix Use-After-Free in ctl_write_buffer
Branches
Unknown
Tags
Unknown