[reactos] 01/01: [FILESYSTEMS] Fix pool memory disclosure in filesystem drivers supporting FS_INFORMATION_CLASS.FileFsVolumeInformation (#2975) - Ros-diffs

11 Sep 2020

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=166f815e7b66966e5703c1...
commit 166f815e7b66966e5703c15275e3620bbedcd8a4
Author:     Nguyen Trung Khanh nguyentrungkhanh97@gmail.com
AuthorDate: Fri Sep 11 19:51:35 2020 +0700
Commit:     GitHub noreply@github.com
CommitDate: Fri Sep 11 15:51:35 2020 +0300
[FILESYSTEMS] Fix pool memory disclosure in filesystem drivers supporting FS_INFORMATION_CLASS.FileFsVolumeInformation (#2975)
* FileFsVolumeInformation-memory-disclosure
* remove unnecessary assignment to 0
* fix
---
 drivers/filesystems/cdfs/volinfo.c     | 4 ++++
 drivers/filesystems/fastfat/volume.c   | 3 ++-
 drivers/filesystems/nfs/nfs41_driver.c | 4 ++++
 drivers/filesystems/npfs/volinfo.c     | 8 ++------
 drivers/filesystems/udfs/volinfo.cpp   | 3 +++
 5 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/drivers/filesystems/cdfs/volinfo.c b/drivers/filesystems/cdfs/volinfo.c
index f61c9758868..0a0ef10bd57 100644
--- a/drivers/filesystems/cdfs/volinfo.c
+++ b/drivers/filesystems/cdfs/volinfo.c
@@ -160,6 +160,10 @@ Return Value:
         //  and false if it couldn't wait for any I/O to complete.
         //
+#ifdef __REACTOS__
+        RtlZeroMemory(Irp->AssociatedIrp.SystemBuffer, Length);
+#endif // __REACTOS__
+
         switch (IrpSp->Parameters.QueryVolume.FsInformationClass) {
case FileFsSizeInformation:
diff --git a/drivers/filesystems/fastfat/volume.c b/drivers/filesystems/fastfat/volume.c
index f4f8f738ebf..e1eba1fd2a7 100644
--- a/drivers/filesystems/fastfat/volume.c
+++ b/drivers/filesystems/fastfat/volume.c
@@ -48,7 +48,6 @@ FsdGetFsVolumeInformation(
         RtlCopyMemory(FsVolumeInfo->VolumeLabel,
                       DeviceObject->Vpb->VolumeLabel,
                       *BufferLength);
-        *BufferLength = 0;
     }
     else
     {
@@ -457,6 +456,8 @@ VfatQueryVolumeInformation(
     DPRINT("FsInformationClass %d\n", FsInformationClass);
     DPRINT("SystemBuffer %p\n", SystemBuffer);
+    RtlZeroMemory(SystemBuffer, BufferLength);
+
     switch (FsInformationClass)
     {
         case FileFsVolumeInformation:
diff --git a/drivers/filesystems/nfs/nfs41_driver.c b/drivers/filesystems/nfs/nfs41_driver.c
index 90b57c8f270..86e8b594a9b 100644
--- a/drivers/filesystems/nfs/nfs41_driver.c
+++ b/drivers/filesystems/nfs/nfs41_driver.c
@@ -4546,6 +4546,10 @@ NTSTATUS nfs41_QueryVolumeInformation(
     status = check_nfs41_dirquery_args(RxContext);
     if (status) goto out;
+#ifdef __REACTOS__
+    RtlZeroMemory(RxContext->Info.Buffer, RxContext->Info.LengthRemaining);
+#endif // __REACTOS__
+
     switch (InfoClass) {
     case FileFsVolumeInformation:
         if ((ULONG)RxContext->Info.LengthRemaining >= DevExt->VolAttrsLen) {
diff --git a/drivers/filesystems/npfs/volinfo.c b/drivers/filesystems/npfs/volinfo.c
index 4e3cf9f9229..36fe75f349a 100644
--- a/drivers/filesystems/npfs/volinfo.c
+++ b/drivers/filesystems/npfs/volinfo.c
@@ -27,8 +27,6 @@ NpQueryFsVolumeInfo(IN PVOID Buffer,
*Length -= FIELD_OFFSET(FILE_FS_VOLUME_INFORMATION, VolumeLabel);
-    InfoBuffer->VolumeCreationTime.QuadPart = 0;
-    InfoBuffer->VolumeSerialNumber = 0;
     InfoBuffer->SupportsObjects = 0;
NameLength = 18;
@@ -61,8 +59,6 @@ NpQueryFsSizeInfo(IN PVOID Buffer,
*Length -= sizeof(*InfoBuffer);
-    InfoBuffer->TotalAllocationUnits.QuadPart = 0;
-    InfoBuffer->AvailableAllocationUnits.QuadPart = 0;
     InfoBuffer->SectorsPerAllocationUnit = 1;
     InfoBuffer->BytesPerSector = 1;
@@ -78,8 +74,6 @@ NpQueryFsDeviceInfo(IN PVOID Buffer,
     PFILE_FS_DEVICE_INFORMATION InfoBuffer = Buffer;
     TRACE("Entered\n");
-    InfoBuffer->DeviceType = 0;
-    InfoBuffer->Characteristics = 0;
     InfoBuffer->DeviceType = FILE_DEVICE_NAMED_PIPE;
     *Length -= sizeof(*InfoBuffer);
@@ -153,6 +147,8 @@ NpCommonQueryVolumeInformation(IN PDEVICE_OBJECT DeviceObject,
     Length = IoStack->Parameters.QueryVolume.Length;
     InfoClass = IoStack->Parameters.QueryVolume.FsInformationClass;
+    RtlZeroMemory(Buffer, Length);
+
     switch (InfoClass)
     {
         case FileFsVolumeInformation:
diff --git a/drivers/filesystems/udfs/volinfo.cpp b/drivers/filesystems/udfs/volinfo.cpp
index 2197fb29611..470e9113516 100644
--- a/drivers/filesystems/udfs/volinfo.cpp
+++ b/drivers/filesystems/udfs/volinfo.cpp
@@ -197,6 +197,9 @@ UDFCommonQueryVolInfo(
             try_return(RC);
         }
 #endif //UDF_ENABLE_SECURITY
+
+        RtlZeroMemory(Irp->AssociatedIrp.SystemBuffer, Length);
+
         switch (IrpSp->Parameters.QueryVolume.FsInformationClass) {
case FileFsVolumeInformation:

    