Bug 1226132

Summary: CVE-2024-38445: ocf, ceph: information leak due to incorrect memset() usage
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Wolfgang Frisch <wolfgang.frisch>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: ceph-bugs
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1226208
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2024-06-10 08:55:47 UTC 
src/spdk/ocf/env/posix/ocf_env.h in openSUSE:Factory/ceph contains a function that's supposed to zero sensitive buffers but fails due incorrect usage of memset:

181 static inline void env_secure_free(const void *ptr, size_t size)
182 {
183     if (ptr) {
184 #if SECURE_MEMORY_HANDLING
185         memset(ptr, size, 0);
186         /* TODO: flush CPU caches ? */
187         ENV_BUG_ON(munlock(ptr));
188 #endif
189         free((void*)ptr);
190     }
191 }

It writes "size" zero times instead of \0 "size" times.

This code path is currently inactive, though it should be fixed in case anyone ever decides to enable it.
Comment 2 Wolfgang Frisch 2024-06-11 07:01:14 UTC 
Upstream: https://github.com/Open-CAS/ocf/
(ocf is embedded in ceph)
Comment 4 Wolfgang Frisch 2024-06-11 11:12:54 UTC 
Affected copies of `ocf` are present in:

openSUSE:Factory/ceph
SUSE:SLFO:Main/ceph
SUSE:ALP:Source:Standard:1.0/ceph
SUSE:SLE-15-SP4:Update/ceph
SUSE:SLE-15-SP4:GA/ceph
SUSE:SLE-15-SP3:Update/ceph
SUSE:SLE-15-SP2:Update/ceph
SUSE:SLE-15-SP2:GA/ceph

NOTE: The affected code path is *inactive* in all our ceph packages, so the fix is not urgent.
Comment 5 Wolfgang Frisch 2024-06-11 11:26:44 UTC 
CRD: 2024-09-09
preliminary, probably earlier
Comment 9 Wolfgang Frisch 2024-06-13 07:15:45 UTC 
Requested a CVE from Mitre with the following justification:
- Weakness: CWE-226: Sensitive Information in Resource Not Removed Before Reuse
- Attack vector: OCF is a caching library intended to be embedded in multi-user systems such as Ceph. If env_secure_free() fails to clear cache metadata, information might get leaked across security boundaries.
- Description: Open CAS Framework (ocf) versions 19.3.1 through 22.3.2 contains an optional SECURE_MEMORY_HANDLING mode that fails to clear freed memory.
Comment 10 Wolfgang Frisch 2024-06-17 07:41:25 UTC 
CVE-2024-38445 was assigned by Mitre and upstream fixed the issue:
https://github.com/Open-CAS/ocf/commit/5975bb8822a24e6ab5a9a59ab1d6441321c7693d

Resolved.