ctl: fix memory disclosure in read/write buffer commands

The functions ctl_write_buffer() and ctl_read_buffer() are vulnerable to a kernel memory disclosure caused by an uninitialized kernel allocation. If one of these functions is called for the first time for a given LUN, a kernel allocation is performed without the M_ZERO flag. Then a call to ctl_read_buffer() returns the content of this allocation, which may contain kernel data. Reported by: Synacktiv Reviewed by: asomers Reviewed by: jhb Security: FreeBSD-SA-24:11.ctl Security: CVE-2024-8178 Security: HYP-05 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D45952
2026-06-09 08:43:19 -04:00 · 2024-09-04 14:38:11 +00:00 · 2024-09-04 14:38:11 +00:00 · ea44766b78
commit ea44766b78
parent 670b582db6
1 changed files with 2 additions and 2 deletions
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@ -5586,7 +5586,7 @@ ctl_read_buffer(struct ctl_scsiio *ctsio)
 	} else {
 		if (lun->write_buffer == NULL) {
 			lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
-			    M_CTL, M_WAITOK);
+			    M_CTL, M_WAITOK | M_ZERO);
 		}
 		ctsio->kern_data_ptr = lun->write_buffer + buffer_offset;
 	}
@ -5627,7 +5627,7 @@ ctl_write_buffer(struct ctl_scsiio *ctsio)

 	if (lun->write_buffer == NULL) {
 		lun->write_buffer = malloc(CTL_WRITE_BUFFER_SIZE,
-		    M_CTL, M_WAITOK);
+			    M_CTL, M_WAITOK | M_ZERO);
 	}

 	/*