You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
627 lines
24 KiB
627 lines
24 KiB
5 years ago
|
commit d77120341812164516e3d8e380c98f6be6dac9d7
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Mon Sep 10 20:36:31 2018 -0500
|
||
|
|
||
|
Make OpenAFS 1.6.23
|
||
|
|
||
|
Update version strings for the 1.6.23 release.
|
||
|
|
||
|
Change-Id: I4cbfcca4f986cd201ec3e45d61c7ad53990aede8
|
||
|
|
||
|
commit 213f5591a47e246d7964ef10d4e3adf5c0bab487
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Mon Sep 10 20:26:20 2018 -0500
|
||
|
|
||
|
Update NEWS for 1.6.23
|
||
|
|
||
|
Release notes for the OpenAFS 1.6.23 security release.
|
||
|
|
||
|
Change-Id: I7c3422ca50f1a6d4f91852d31b91673c65ac95d6
|
||
|
|
||
|
commit 885c02af3761c0f2bf3350dc4beef09a92770aa7
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Tue Sep 11 10:51:01 2018 -0500
|
||
|
|
||
|
Fix typos in audit format strings
|
||
|
|
||
|
Commit 9ebff4c6caa8b499d999cfd515d4d45eb3179769 introduced audit
|
||
|
framework support for several butc-related data types, but had
|
||
|
a typo ('$d' for '%d') in a couple of places, that was not reported
|
||
|
by compiler format-string checking. Fix the typo to properly print
|
||
|
all the auditable data.
|
||
|
|
||
|
(cherry picked from commit d5816fd6cd1876760a985a817dbbb3940cf3bddb)
|
||
|
|
||
|
(cherry picked from commit 90601818205aeefd1cf99b8766a7bfd03bf9b96a)
|
||
|
|
||
|
(cherry picked from commit 0cdb370f1813158a6dbd577e5c250bc26ac4590c)
|
||
|
|
||
|
Change-Id: I0d1cb15d02225a8557da09ed72efbc5103e1ec1b
|
||
|
|
||
|
commit 9067d543817f32deb334e20c67e071f124a42140
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Sun Sep 9 10:44:38 2018 -0500
|
||
|
|
||
|
OPENAFS-SA-2018-001 backup: use authenticated connection to butc
|
||
|
|
||
|
Use the standard routine to pick a client security object, instead of
|
||
|
always assuming rxnull. Respect -localauth as well as being able to
|
||
|
use the current user's tokens, but also provide a -nobutcauth argument
|
||
|
to fall back to the historical rxnull behavior (but only for the connections
|
||
|
to butc; vldb and budb connections are not affected).
|
||
|
|
||
|
(cherry picked from commit 345ee34236c08a0a2fb3fff016edfa18c7af4b0a)
|
||
|
|
||
|
(cherry picked from commit ed217df4b23e111d4b12e7236bdf6f8ab5575952)
|
||
|
|
||
|
(cherry picked from commit 3f06dd4f73f7fa1f6ecbd71e9ebe2ef5c67dfebd)
|
||
|
|
||
|
commit cb8b8300369cf12f1a4681010b71aa46659529bc
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Thu Sep 6 18:50:39 2018 -0500
|
||
|
|
||
|
OPENAFS-SA-2018-001 butc: require authenticated connections with -localauth
|
||
|
|
||
|
The butc -localauth option is available to use the cell-wide key to
|
||
|
authenticate to the vlserver and buserver, which in normal deployments
|
||
|
will require incoming connections to be authenticated as a superuser.
|
||
|
In such cases, the cell-wide key is also available for use in
|
||
|
authenticating incoming connections to the butc, which would otherwise
|
||
|
have been completely unauthenticated.
|
||
|
|
||
|
Because of the security hazards of allowing unauthenticaed inbound
|
||
|
RPCs, especially ones that manipulate backup information and are allowed
|
||
|
to initiate outboud RPCs authenticated as the superuser, default to
|
||
|
not allowing unauthenticated inbound RPCs at all. Provide an opt-out
|
||
|
command-line argument for deployments that require this functionality
|
||
|
and have configured their network environment (firewall/etc.) appropriately.
|
||
|
|
||
|
(cherry picked from commit 1b199eeafad6420982380ce5e858f00c528cfd13)
|
||
|
|
||
|
(cherry picked from commit fa04588907321e8b50b64f30dcc049e60268a05a)
|
||
|
|
||
|
Change-Id: Ib796fd4d61cc5d2e98f1b1e787f3267456b0ffe8
|
||
|
|
||
|
commit 78b5be7ddd9f8b9b416c7405074253770e8354d8
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Sun Sep 9 11:49:03 2018 -0500
|
||
|
|
||
|
OPENAFS-SA-2018-001 Add auditing to butc server RPC implementations
|
||
|
|
||
|
Make the actual implementations into helper functions, with the RPC
|
||
|
stubs calling the helpers and doing the auditing on the results, akin
|
||
|
to most other server programs in the tree. This relies on support for
|
||
|
some additional types having been added to the audit framework.
|
||
|
|
||
|
(cherry picked from commit c43169fd36348783b1a5a55c5bb05317e86eef82)
|
||
|
|
||
|
(cherry picked from commit 6f8c0c8134de1b5358ec56878e350aeab31aa3cd)
|
||
|
|
||
|
(cherry picked from commit 23f3f2e0d96e30a7bc9c355414db995df820e5ba)
|
||
|
|
||
|
Change-Id: Icb4a9ca3cce81b088268655a648823f3e8260f0a
|
||
|
|
||
|
commit ccd02a1bbb44d4c3a15d721a9d4fd8d84cd4e0ee
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Sat Sep 8 19:42:36 2018 -0500
|
||
|
|
||
|
OPENAFS-SA-2018-001 audit: support butc types
|
||
|
|
||
|
Add support for several complex butc types to enable butc auditing.
|
||
|
|
||
|
(cherry picked from commit 41d2dd569a365465ac47da3cd39eceba4beaeaf3)
|
||
|
|
||
|
(cherry picked from commit 049b7eafe125d12803e848f38f18680dff31ab80)
|
||
|
|
||
|
Change-Id: I6662f028e300afaa5e2586db1a590f9ea8ec3139
|
||
|
|
||
|
commit b18e8f4a8957c5022fa91168d73b2eb7fb28e93b
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Sat Sep 8 20:35:25 2018 -0500
|
||
|
|
||
|
OPENAFS-SA-2018-001 butc: remove dummy osi_audit() routine
|
||
|
|
||
|
This local stub was present in the original IBM import and is unused.
|
||
|
It will conflict with the real audit code once we start adding auditing
|
||
|
to the TC_ RPCs, so remove it now.
|
||
|
|
||
|
(cherry picked from commit 50216dbbc30ed94f89bdd0e964f4891e87f28c0b)
|
||
|
|
||
|
(cherry picked from commit 7eb650a6edd96e3c7e68f170945ddcdac8b67975)
|
||
|
|
||
|
(cherry picked from commit cf69365f0416c58462cbea75dc17cde01f343175)
|
||
|
|
||
|
Change-Id: Idf9d3dfa040cdd34437d1c97ce27a1225a356993
|
||
|
|
||
|
commit 187cf8717cb983eeabb919b2ac189fa5505c369c
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Fri Jul 6 03:14:19 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-003 rxgen: prevent unbounded input arrays
|
||
|
|
||
|
RPCs with unbounded arrays as inputs are susceptible to remote
|
||
|
denial-of-service (DOS) attacks. A malicious client may submit an RPC
|
||
|
request with an arbitrarily large array, forcing the server to expend
|
||
|
large amounts of network bandwidth, cpu cycles, and heap memory to
|
||
|
unmarshal the input.
|
||
|
|
||
|
Instead, issue an error message and stop rxgen when it detects an RPC
|
||
|
defined with an unbounded input array. Thus we will detect the problem
|
||
|
at build time and prevent any future unbounded input arrays.
|
||
|
|
||
|
(cherry picked from commit a4c1d5c48deca2ebf78b1c90310b6d56b3d48af6)
|
||
|
|
||
|
(cherry picked from commit 2cf5cfa8561047e855fed9ab35d1a041e309e39a)
|
||
|
|
||
|
(cherry picked from commit 289a5643e7af399b3e99eb33d50b6c602e442a02)
|
||
|
|
||
|
Change-Id: If5222aab9ce700ba8d9520e5e2e81e66e1b87fd1
|
||
|
|
||
|
commit 6cbb7d9d57e5f7e0090b538c92b3eafe9c2656b0
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Fri Jul 6 03:21:26 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-003 volser: prevent unbounded input to various AFSVol* RPCs
|
||
|
|
||
|
Several AFSVol* RPCs are defined with an unbounded XDR "string" as
|
||
|
input.
|
||
|
|
||
|
RPCs with unbounded arrays as inputs are susceptible to remote
|
||
|
denial-of-service (DOS) attacks. A malicious client may submit an
|
||
|
AFSVol* request with an arbitrarily large string, forcing the volserver
|
||
|
to expend large amounts of network bandwidth, cpu cycles, and heap
|
||
|
memory to unmarshal the input.
|
||
|
|
||
|
Instead, give each input "string" an appropriate size.
|
||
|
Volume names are inherently capped to 32 octets (including trailing NUL)
|
||
|
by the protocol, but there is less clearly a hard limit on partition names.
|
||
|
The Vol_PartitionInfo{,64} functions accept a partition name as input and
|
||
|
also return a partition name in the output structure; the output values
|
||
|
have wire-protocol limits, so larger values could not be retrieved by clients,
|
||
|
but for denial-of-service purposes, a more generic PATH_MAX-like value seems
|
||
|
appropriate. We have several varying sources of such a limit in the tree, but
|
||
|
pick 4k as the least-restrictive.
|
||
|
|
||
|
[kaduk@mit.edu: use a larger limit for pathnames and expand on PATH_MAX in
|
||
|
commit message]
|
||
|
|
||
|
(cherry picked from commit 8b92d015ccdfcb70c7acfc38e330a0475a1fbe28)
|
||
|
|
||
|
(cherry picked from commit fe41fa565be6e325da75f3e9b8fbdac2c521b027)
|
||
|
|
||
|
(cherry picked from commit 39b675e243be70237ba9460b49b461c128aedffd)
|
||
|
|
||
|
Change-Id: Idad0b0abf582b356042245398e1317a610ff321e
|
||
|
|
||
|
commit 35240e33317658a396cd3da994b5d20a71f4abc3
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Fri Jul 6 01:09:53 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-003 volser: prevent unbounded input to AFSVolForwardMultiple
|
||
|
|
||
|
AFSVolForwardMultiple is defined with an input parameter that is defined
|
||
|
to XDR as an unbounded array of replica structs:
|
||
|
typedef replica manyDests<>;
|
||
|
|
||
|
RPCs with unbounded arrays as inputs are susceptible to remote
|
||
|
denial-of-service (DOS) attacks. A malicious client may submit an
|
||
|
AFSVolForwardMultiple request with an arbitrarily large array, forcing
|
||
|
the volserver to expend large amounts of network bandwidth, cpu cycles,
|
||
|
and heap memory to unmarshal the input.
|
||
|
|
||
|
Even though AFSVolForwardMultiple requires superuser authorization, this
|
||
|
attack is exploitable by non-authorized actors because XDR unmarshalling
|
||
|
happens long before any authorization checks can occur.
|
||
|
|
||
|
Add a bounding constant (NMAXNSERVERS 13) to the manyDests input array.
|
||
|
This constant is derived from the current OpenAFS vldb implementation, which
|
||
|
is limited to 13 replica sites for a given volume by the layout (size) of the
|
||
|
serverNumber, serverPartition, and serverFlags fields.
|
||
|
|
||
|
[kaduk@mit.edu: explain why this constant is used]
|
||
|
|
||
|
(cherry picked from commit 97b0ee4d9c9d069e78af2e046c7987aa4d3f9844)
|
||
|
|
||
|
(cherry picked from commit fac3749f0d180e0ca229326c0e8568a60e17d3e9)
|
||
|
|
||
|
(cherry picked from commit ea30e64d1b2153f51a83069f3471356553a27a2b)
|
||
|
|
||
|
Change-Id: Ib2e5d4cc660e0a278b9dbd10ac2db656239e1302
|
||
|
|
||
|
commit b8142be4b4642a37500081ef459544cdb2091218
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Thu Jul 5 23:51:37 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-003 budb: prevent unbounded input to BUDB_SaveText
|
||
|
|
||
|
BUDB_SaveText is defined with an input parameter that is defined to XDR
|
||
|
as an unbounded array of chars:
|
||
|
typedef char charListT<>;
|
||
|
|
||
|
RPCs with unbounded arrays as inputs are susceptible to remote
|
||
|
denial-of-service (DOS) attacks. A malicious client may submit a
|
||
|
BUDB_SaveText request with an arbitrarily large array, forcing the budb
|
||
|
server to expend large amounts of network bandwidth, cpu cycles, and
|
||
|
heap memory to unmarshal the input.
|
||
|
|
||
|
Modify the XDR definition of charListT so it is bounded. This typedef
|
||
|
is shared (as an OUT parameter) by BUDB_GetText and BUDB_DumpDB, but
|
||
|
fortunately all in-tree callers of the client routines specify the same
|
||
|
maximum length of 1024.
|
||
|
|
||
|
Note: However, SBUDB_SaveText server implementation seems to allow for up to
|
||
|
BLOCK_DATA_SIZE (2040) = BLOCKSIZE (2048) - sizeof(struct blockHeader)
|
||
|
(8), and it's unknown if any out-of-tree callers exist. Since we do not need a
|
||
|
tight bound in order to avoid the DoS, use a somewhat higher maximum of
|
||
|
4096 bytes to leave a safety margin.
|
||
|
|
||
|
[kaduk@mit.edu: bump the margin to 4096; adjust commit message to match]
|
||
|
|
||
|
(cherry picked from commit 124445c0c47994f5e2efef30e86337c3c8ebc93f)
|
||
|
|
||
|
(cherry picked from commit 87f199c14199afa29f75bb336383564f0fb4548a)
|
||
|
|
||
|
(cherry picked from commit c5c3a858b21eaaabda46e1dffdea038fa234d657)
|
||
|
|
||
|
Change-Id: I6802e76a5f6e39e31ece66d1ff00ed11b47b6c36
|
||
|
|
||
|
commit e3840eb1a23b36aed395337b2fa774c079f3c092
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Thu Jul 5 21:11:30 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-003 vlserver: prevent unbounded input to VL_RegisterAddrs
|
||
|
|
||
|
VL_RegisterAddrs is defined with an input argument of type bulkaddrs,
|
||
|
which is defined to XDR as an unbounded array of afs_uint32 (IPv4 addresses):
|
||
|
typedef afs_uint32 bulkaddrs<>
|
||
|
|
||
|
The <> with no value instructs rxgen to build client and server stubs
|
||
|
that allow for a maximum size of "~0u" or 0xFFFFFFFF.
|
||
|
|
||
|
Ostensibly the bulkaddrs array is unbounded to allow it to be shared
|
||
|
among VL_RegisterAddrs, VL_GetAddrs, and VL_GetAddrsU. The VL_GetAddrs*
|
||
|
RPCs use bulkaddrs as an output array with a maximum size of MAXSERVERID
|
||
|
(254). VL_RegisterAddrss uses bulkaddrs as an input array, with a
|
||
|
nominal size of VL_MAXIPADDRS_PERMH (16).
|
||
|
|
||
|
However, RPCs with unbounded array inputs are susceptible to remote
|
||
|
denial-of-service attacks. That is, a malicious client may send a
|
||
|
VL_RegisterAddrs request with an arbitrarily long array, forcing the
|
||
|
vlserver to expend large amounts of network bandwidth, cpu cycles, and
|
||
|
heap memory to unmarshal the argument. Even though VL_RegisterAddrs
|
||
|
requires superuser authorization, this attack is exploitable by
|
||
|
non-authorized actors because XDR unmarshalling happens long before any
|
||
|
authorization checks can occur.
|
||
|
|
||
|
Because all uses of the type that our implementation support have fixed
|
||
|
bounds on valid data (whether input or output), apply an arbitrary
|
||
|
implementation limit (larger than any valid structure would be), to
|
||
|
prevent this class of attacks in the XDR decoder.
|
||
|
|
||
|
[kaduk@mit.edu: limit the bulkaddrs type instead of introducing a new type]
|
||
|
|
||
|
(cherry picked from commit 7629209219bbea3f127b33be06ac427ebc3a559e)
|
||
|
|
||
|
(cherry picked from commit 4218dc0a2db75c740d1d31966e672f85ad7999bd)
|
||
|
|
||
|
(cherry picked from commit 38f401ae7e0e88fb65b651125a2c8a723db1e071)
|
||
|
|
||
|
Change-Id: Ib0798af007af14a2a91ae280c0f28838f33d1a65
|
||
|
|
||
|
commit 4dd98168f0fc851716d30fc1e2839f11304a4d04
|
||
|
Author: Benjamin Kaduk <kaduk@mit.edu>
|
||
|
Date: Thu Aug 30 10:38:56 2018 -0500
|
||
|
|
||
|
OPENAFS-SA-2018-002 butc: Initialize OUT scalar value
|
||
|
|
||
|
In STC_ReadLabel, the interaction with the tape device is
|
||
|
synchronous, so there is no need to allocate a task ID for status
|
||
|
monitoring. However, we do need to initialize the output value,
|
||
|
to avoid writing stack garbage on the wire.
|
||
|
|
||
|
(cherry picked from commit f5a80115f8f7f9418287547f0fc7fdb13d936f00)
|
||
|
|
||
|
(cherry picked from commit 418b2ab56c60e44375df31a3a8f77461d577a5ff)
|
||
|
|
||
|
(cherry picked from commit babbb2824a5e3d6210b9079ab08f8771ac6ef892)
|
||
|
|
||
|
Change-Id: Ie18bbe7542a23d2ce952cfcd5288ee0aa43bb71f
|
||
|
|
||
|
commit ab8a6ab1230f5274630e0d0b9e35a778b6d9f79b
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 06:01:16 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 ubik: prevent VOTE_Debug, VOTE_XDebug information leak
|
||
|
|
||
|
VOTE_Debug and VOTE_XDebug (udebug) both leave a single field
|
||
|
uninitialized if there is no current transaction. This leaks the memory
|
||
|
contents of the ubik server over the wire.
|
||
|
|
||
|
struct ubik_debug
|
||
|
- 4 bytes in member writeTrans
|
||
|
|
||
|
In common code to both RPCs, ensure that writeTrans is always
|
||
|
initialized.
|
||
|
|
||
|
[kaduk@mit.edu: switch to memset]
|
||
|
|
||
|
(cherry picked from commit 7a7c1f751cdb06c0d95339c999b2c035c2d2168b)
|
||
|
|
||
|
(cherry picked from commit 0ee86cc3f986365df9de21ede5735cc1f40db7e5)
|
||
|
|
||
|
(cherry picked from commit 9db5fcf460988b605ba8ba7078b9c8d702aba370)
|
||
|
|
||
|
Change-Id: I1c9fc9a6a8bb8aed04f814e4da041af3f49a7401
|
||
|
|
||
|
commit 973bba24a6d2f419680873f4133dbad8cd37ce9f
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 05:26:21 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 kaserver: prevent KAM_ListEntry information leak
|
||
|
|
||
|
KAM_ListEntry (kas list) does not initialize its output correctly. It
|
||
|
leaks kaserver memory contents over the wire:
|
||
|
|
||
|
struct kaindex
|
||
|
- up to 64 bytes for member name
|
||
|
- up to 64 bytes for member instance
|
||
|
|
||
|
Initialize the buffer.
|
||
|
|
||
|
[kaduk@mit.edu: move initialization to top of server routine]
|
||
|
|
||
|
(cherry picked from commit b604ee7add7be416bf20973422a041e913d20761)
|
||
|
|
||
|
(cherry picked from commit c912830e9c82d91bccf85018ef1e6a75edc410c4)
|
||
|
|
||
|
(cherry picked from commit 04fb009f15b75aca8e62675972ce23526a62ba80)
|
||
|
|
||
|
Change-Id: I613b1f46b913d4208bac15eb92274127da14e9c9
|
||
|
|
||
|
commit e573d36b212192b04235dac24f709e7d5784f904
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 05:12:32 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 butc: prevent TC_DumpStatus, TC_ScanStatus information leaks
|
||
|
|
||
|
TC_ScanStatus (backup status) and TC_GetStatus (internal backup status
|
||
|
watcher) do not initialize their output buffers. They leak memory
|
||
|
contents over the wire:
|
||
|
|
||
|
struct tciStatusS
|
||
|
- up to 64 bytes in member taskName (TC_MAXNAMELEN 64)
|
||
|
- up to 64 bytes in member volumeName "
|
||
|
|
||
|
Initialize the buffers.
|
||
|
|
||
|
[kaduk@mit.edu: move initialization to top of server routines]
|
||
|
|
||
|
(cherry picked from commit be0142707ca54f3de99c4886530e7ac9f48dd61c)
|
||
|
|
||
|
(cherry picked from commit 43b3efd4f8cd3227b2b24ff673adeb834f6a3f0b)
|
||
|
|
||
|
(cherry picked from commit a41b75a13b9a96a929fa69db43fbc4ca071ee717)
|
||
|
|
||
|
Change-Id: Ibe35ca06eb663399f0b9e14d7487d91553cd67c8
|
||
|
|
||
|
commit bd86cbcfd95f30bc10dc703a96ed54f516bb4b99
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 05:00:25 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 butc: prevent TC_ReadLabel information leak
|
||
|
|
||
|
TC_ReadLabel (backup readlabel) does not initialize its output buffer
|
||
|
completely. It leaks butc memory contents over the wire:
|
||
|
|
||
|
struct tc_tapeLabel
|
||
|
- up to 32 bytes from member afsname (TC_MAXTAPELEN 32)
|
||
|
- up to 32 bytes from member pname (TC_MAXTAPELEN 32)
|
||
|
|
||
|
Initialize the buffer.
|
||
|
|
||
|
[kaduk@mit.edu: move initialization to the RPC stub]
|
||
|
|
||
|
(cherry picked from commit 52f4d63148323e7d605f9194ff8c1549756e654b)
|
||
|
|
||
|
(cherry picked from commit b7e53b9e9706d63215a1804ed9eca30d69461f03)
|
||
|
|
||
|
(cherry picked from commit 3e0294543d4f4ab58694e1aca393b961f05d7c8f)
|
||
|
|
||
|
Change-Id: I4e8ab1b94d36e9904a9505cd7f0e97cc6fb3a40f
|
||
|
|
||
|
commit 5c6589b395e35e54f8e7c583ea4d87826a854fba
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 04:39:44 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 budb: prevent BUDB_* information leaks
|
||
|
|
||
|
The following budb RPCs do not initialize their output correctly.
|
||
|
This leaks buserver memory contents over the wire:
|
||
|
|
||
|
BUDB_FindLatestDump (backup dump)
|
||
|
BUDB_FindDump (backup volrestore, diskrestore, volsetrestore)
|
||
|
BUDB_GetDumps (backup dumpinfo)
|
||
|
BUDB_FindLastTape (backup dump)
|
||
|
|
||
|
struct budb_dumpEntry
|
||
|
- up to 32 bytes in member volumeSetName
|
||
|
- up to 256 bytes in member dumpPath
|
||
|
- up to 32 bytes in member name
|
||
|
- up to 32 bytes in member tape.tapeServer
|
||
|
- up to 32 bytes in member tape.format
|
||
|
- up to 256 bytes in member dumper.name
|
||
|
- up to 128 bytes in member dumper.instance
|
||
|
- up to 256 bytes in member dumper.cell
|
||
|
|
||
|
Initialize the buffer in common routine FillDumpEntry.
|
||
|
|
||
|
(cherry picked from commit e96771471134102d3879a0ac8b2c4ef9d91a61b8)
|
||
|
|
||
|
(cherry picked from commit 6f26a945adeca87b669282eed0eaca3dca0a1423)
|
||
|
|
||
|
(cherry picked from commit b4543ae2331fae6d70c067d86d20bfbc8d509468)
|
||
|
|
||
|
Change-Id: I713f967eebc1286764b9658ff4ddccb65f456480
|
||
|
|
||
|
commit c72abcde2c6fcafc9ab940a74f2384a159eaee98
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 03:56:24 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 afs: prevent RXAFSCB_TellMeAboutYourself information leak
|
||
|
|
||
|
RXAFSCB_TellMeAboutYourself does not completely initialize its output
|
||
|
buffers. This leaks kernel memory over the wire:
|
||
|
|
||
|
struct interfaceAddr
|
||
|
Unix cache manager (libafs)
|
||
|
- up to 124 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 * 4) - 4))
|
||
|
- up to 124 bytes in array subnetmask "
|
||
|
- up to 124 bytes in array mtu "
|
||
|
|
||
|
Windows cache manager
|
||
|
- 64 bytes in array addr_in ((AFS_MAX_INTERFACE_ADDR 32 - CM_MAXINTERFACE_ADDR 16)* 4)
|
||
|
- 64 bytes in array subnetmask "
|
||
|
- 64 bytes in array mtu "
|
||
|
|
||
|
The following implementations of SRXAFSCB_TellMeAboutYourself are not susceptible:
|
||
|
- fsprobe
|
||
|
- libafscp
|
||
|
- xstat_fs_test
|
||
|
|
||
|
Initialize the buffer.
|
||
|
|
||
|
(cherry picked from commit 211b6d6a4307006da1467b3be46912a3a5d7b20b)
|
||
|
|
||
|
(cherry picked from commit a6557ffa64d8fab3526c4f89629dcbb965a27780)
|
||
|
|
||
|
(cherry picked from commit 0dbbcc9ac62425618a3a3a28ee05eba2507f6efd)
|
||
|
|
||
|
Change-Id: Ic977c8a473df12f64d2865cd68f1f42744b57d9e
|
||
|
|
||
|
commit 283b950ed53c3c248078c9aaab10227de539b06d
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 03:47:41 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 afs: prevent RXAFSCB_GetLock information leak
|
||
|
|
||
|
RXAFSCB_GetLock (cmdebug) does not correctly initialize its output.
|
||
|
This leaks kernel memory over the wire:
|
||
|
|
||
|
struct AFSDBLock
|
||
|
- up to 14 bytes for member name (16 - '<cellname>\0')
|
||
|
|
||
|
Initialize the buffer.
|
||
|
|
||
|
(cherry picked from commit b52eb11a08f2ad786238434141987da27b81e743)
|
||
|
|
||
|
(cherry picked from commit 3dea4adaa356b7eed40b6162c106c5e90690f5a1)
|
||
|
|
||
|
(cherry picked from commit f0c4f8d899214bf405e809be813be4d5be125ad8)
|
||
|
|
||
|
Change-Id: I3935968bacb8e063fd1fdd2fc52efd2258a5eb99
|
||
|
|
||
|
commit 6cdfce3c9a5712a6a3088c1f3693a6b782771375
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 03:37:37 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 ptserver: prevent PR_ListEntries information leak
|
||
|
|
||
|
PR_ListEntries (pts listentries) does not properly initialize its output
|
||
|
buffers. This leaks ptserver memory over the wire:
|
||
|
|
||
|
struct prlistentries
|
||
|
- up to 62 bytes for each entry name (PR_MAXNAMELEN 64 - 'a\0')
|
||
|
|
||
|
Initialize the buffer, and remove the now redundant memset for the
|
||
|
reserved fields.
|
||
|
|
||
|
(cherry picked from commit 9d1aeb5d761581a35bef2042e9116b96e9ae3bf5)
|
||
|
|
||
|
(cherry picked from commit e19ad4cdde463d2bbb4b815525da992bd5fc2648)
|
||
|
|
||
|
(cherry picked from commit 7ee25861685a4f56b304627ca2a0dbfed179646d)
|
||
|
|
||
|
Change-Id: I42d32876ddf8fa98744620fdf75b4e0783b93aba
|
||
|
|
||
|
commit c67fe473f7a8710c2cebbcc4d4b767ba152342f0
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 03:00:02 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 volser: prevent AFSVolMonitor information leak
|
||
|
|
||
|
AFSVolMonitor (vos status) does not properly initialize its output
|
||
|
buffers. This leaks information from volserver memory:
|
||
|
|
||
|
struct transDebugInfo
|
||
|
- up to 29 bytes in member lastProcName (30-'\0')
|
||
|
- 16 bytes in members readNext, tranmitNext, lastSendTime,
|
||
|
lastReceiveTime
|
||
|
|
||
|
Initialize the buffers. This must be done on a per-buffer basis inside
|
||
|
the loop, since realloc is used to expand the storage if needed,
|
||
|
and there is not a standard realloc API to zero the newly allocated storage.
|
||
|
|
||
|
[kaduk@mit.edu: update commit message]
|
||
|
|
||
|
(cherry picked from commit 26924fd508b21bb6145e77dc31b6cd0923193b72)
|
||
|
|
||
|
(cherry picked from commit 2d22756de7af2c72b8aca6969825f8e921f01d6c)
|
||
|
|
||
|
(cherry picked from commit 37cbe68577d39241a2d5a1fe75e8a0490516dfc4)
|
||
|
|
||
|
Change-Id: I1eab9e35207fed5d151c70962c00b6fa8ac7da58
|
||
|
|
||
|
commit 4279e1f18026c3e8a38461da612902829484acc5
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Tue Jun 26 02:33:05 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 volser: prevent AFSVolPartitionInfo(64) information leak
|
||
|
|
||
|
AFSVolPartitionInfo and AFSVolPartitionInfo64 (vos partinfo) do not
|
||
|
properly initialize their reply buffers. This leaks the contents of
|
||
|
volserver memory over the wire:
|
||
|
|
||
|
AFSVolPartitionInfo (struct diskPartition)
|
||
|
- up to 24 bytes in member name (32-'/vicepa\0'))
|
||
|
- up to 12 bytes in member devName (32-'/vicepa/Lock/vicepa\0'))
|
||
|
|
||
|
AFSVolPartitionInfo64 (struct diskPartition64)
|
||
|
- up to 248 bytes in member name (256-'/vicepa\0'))
|
||
|
- up to 236 bytes in member devName (256-'/vicepa/Lock/vicepa\0')
|
||
|
|
||
|
Initialize the output buffers.
|
||
|
|
||
|
[kaduk@mit.edu: move memset to top-level function scope of RPC handlers]
|
||
|
|
||
|
(cherry picked from commit 76e62c1de868c2b2e3cc56a35474e15dc4cc1551)
|
||
|
|
||
|
(cherry picked from commit 28edf734db08d3a8285e89d9d78aa21db726e4c7)
|
||
|
|
||
|
(cherry picked from commit f1c9c0160e364b4935fbb758890fcf5dc0edad4a)
|
||
|
|
||
|
Change-Id: I48348b326f0933a0fcb556425f085abad36d3bea
|
||
|
|
||
|
commit 50ba59fb4404af93c58e095b57f1d33de8b05899
|
||
|
Author: Mark Vitale <mvitale@sinenomine.net>
|
||
|
Date: Mon Jun 25 18:03:12 2018 -0400
|
||
|
|
||
|
OPENAFS-SA-2018-002 ptserver: prevent PR_IDToName information leak
|
||
|
|
||
|
SPR_IDToName does not completely initialize the return array of names,
|
||
|
and thus leaks information from ptserver memory:
|
||
|
|
||
|
- up to 62 bytes per requested id (PR_MAXNAMELEN 64 - 'a\0')
|
||
|
|
||
|
Use calloc to ensure that all memory sent on the wire is initialized,
|
||
|
preventing the information leak.
|
||
|
|
||
|
[kaduk@mit.edu: switch to calloc; update commit message]
|
||
|
|
||
|
(cherry picked from commit 70b0136d552a0077d3fae68f3aebacd985abd522)
|
||
|
|
||
|
(cherry picked from commit c8c8682bb0e84ee5289fac3063119ae524773f61)
|
||
|
|
||
|
(cherry picked from commit 40343287fbca6f4b1098f5b60ef9ff5416376b08)
|
||
|
|
||
|
Change-Id: I793ccc2f3595344e72e9b4ba948a2266f1c4c0a5
|