https://git.reactos.org/?p=reactos.git;a=commitdiff;h=166f815e7b66966e5703c… commit 166f815e7b66966e5703c15275e3620bbedcd8a4 Author: Nguyen Trung Khanh <nguyentrungkhanh97(a)gmail.com> AuthorDate: Fri Sep 11 19:51:35 2020 +0700 Commit: GitHub <noreply(a)github.com> CommitDate: Fri Sep 11 15:51:35 2020 +0300 [FILESYSTEMS] Fix pool memory disclosure in filesystem drivers supporting FS_INFORMATION_CLASS.FileFsVolumeInformation (#2975) * FileFsVolumeInformation-memory-disclosure * remove unnecessary assignment to 0 * fix --- drivers/filesystems/cdfs/volinfo.c | 4 ++++ drivers/filesystems/fastfat/volume.c | 3 ++- drivers/filesystems/nfs/nfs41_driver.c | 4 ++++ drivers/filesystems/npfs/volinfo.c | 8 ++------ drivers/filesystems/udfs/volinfo.cpp | 3 +++ 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/drivers/filesystems/cdfs/volinfo.c b/drivers/filesystems/cdfs/volinfo.c index f61c9758868..0a0ef10bd57 100644 --- a/drivers/filesystems/cdfs/volinfo.c +++ b/drivers/filesystems/cdfs/volinfo.c @@ -160,6 +160,10 @@ Return Value: // and false if it couldn't wait for any I/O to complete. // +#ifdef __REACTOS__ + RtlZeroMemory(Irp->AssociatedIrp.SystemBuffer, Length); +#endif // __REACTOS__ + switch (IrpSp->Parameters.QueryVolume.FsInformationClass) { case FileFsSizeInformation: diff --git a/drivers/filesystems/fastfat/volume.c b/drivers/filesystems/fastfat/volume.c index f4f8f738ebf..e1eba1fd2a7 100644 --- a/drivers/filesystems/fastfat/volume.c +++ b/drivers/filesystems/fastfat/volume.c @@ -48,7 +48,6 @@ FsdGetFsVolumeInformation( RtlCopyMemory(FsVolumeInfo->VolumeLabel, DeviceObject->Vpb->VolumeLabel, *BufferLength); - *BufferLength = 0; } else { @@ -457,6 +456,8 @@ VfatQueryVolumeInformation( DPRINT("FsInformationClass %d\n", FsInformationClass); DPRINT("SystemBuffer %p\n", SystemBuffer); + RtlZeroMemory(SystemBuffer, BufferLength); + switch (FsInformationClass) { case FileFsVolumeInformation: diff --git a/drivers/filesystems/nfs/nfs41_driver.c b/drivers/filesystems/nfs/nfs41_driver.c index 90b57c8f270..86e8b594a9b 100644 --- a/drivers/filesystems/nfs/nfs41_driver.c +++ b/drivers/filesystems/nfs/nfs41_driver.c @@ -4546,6 +4546,10 @@ NTSTATUS nfs41_QueryVolumeInformation( status = check_nfs41_dirquery_args(RxContext); if (status) goto out; +#ifdef __REACTOS__ + RtlZeroMemory(RxContext->Info.Buffer, RxContext->Info.LengthRemaining); +#endif // __REACTOS__ + switch (InfoClass) { case FileFsVolumeInformation: if ((ULONG)RxContext->Info.LengthRemaining >= DevExt->VolAttrsLen) { diff --git a/drivers/filesystems/npfs/volinfo.c b/drivers/filesystems/npfs/volinfo.c index 4e3cf9f9229..36fe75f349a 100644 --- a/drivers/filesystems/npfs/volinfo.c +++ b/drivers/filesystems/npfs/volinfo.c @@ -27,8 +27,6 @@ NpQueryFsVolumeInfo(IN PVOID Buffer, *Length -= FIELD_OFFSET(FILE_FS_VOLUME_INFORMATION, VolumeLabel); - InfoBuffer->VolumeCreationTime.QuadPart = 0; - InfoBuffer->VolumeSerialNumber = 0; InfoBuffer->SupportsObjects = 0; NameLength = 18; @@ -61,8 +59,6 @@ NpQueryFsSizeInfo(IN PVOID Buffer, *Length -= sizeof(*InfoBuffer); - InfoBuffer->TotalAllocationUnits.QuadPart = 0; - InfoBuffer->AvailableAllocationUnits.QuadPart = 0; InfoBuffer->SectorsPerAllocationUnit = 1; InfoBuffer->BytesPerSector = 1; @@ -78,8 +74,6 @@ NpQueryFsDeviceInfo(IN PVOID Buffer, PFILE_FS_DEVICE_INFORMATION InfoBuffer = Buffer; TRACE("Entered\n"); - InfoBuffer->DeviceType = 0; - InfoBuffer->Characteristics = 0; InfoBuffer->DeviceType = FILE_DEVICE_NAMED_PIPE; *Length -= sizeof(*InfoBuffer); @@ -153,6 +147,8 @@ NpCommonQueryVolumeInformation(IN PDEVICE_OBJECT DeviceObject, Length = IoStack->Parameters.QueryVolume.Length; InfoClass = IoStack->Parameters.QueryVolume.FsInformationClass; + RtlZeroMemory(Buffer, Length); + switch (InfoClass) { case FileFsVolumeInformation: diff --git a/drivers/filesystems/udfs/volinfo.cpp b/drivers/filesystems/udfs/volinfo.cpp index 2197fb29611..470e9113516 100644 --- a/drivers/filesystems/udfs/volinfo.cpp +++ b/drivers/filesystems/udfs/volinfo.cpp @@ -197,6 +197,9 @@ UDFCommonQueryVolInfo( try_return(RC); } #endif //UDF_ENABLE_SECURITY + + RtlZeroMemory(Irp->AssociatedIrp.SystemBuffer, Length); + switch (IrpSp->Parameters.QueryVolume.FsInformationClass) { case FileFsVolumeInformation: