Bugzilla – Bug 1226132
CVE-2024-38445: ocf, ceph: information leak due to incorrect memset() usage
Last modified: 2024-06-17 07:41:25 UTC
src/spdk/ocf/env/posix/ocf_env.h in openSUSE:Factory/ceph contains a function that's supposed to zero sensitive buffers but fails due incorrect usage of memset: 181 static inline void env_secure_free(const void *ptr, size_t size) 182 { 183 if (ptr) { 184 #if SECURE_MEMORY_HANDLING 185 memset(ptr, size, 0); 186 /* TODO: flush CPU caches ? */ 187 ENV_BUG_ON(munlock(ptr)); 188 #endif 189 free((void*)ptr); 190 } 191 } It writes "size" zero times instead of \0 "size" times. This code path is currently inactive, though it should be fixed in case anyone ever decides to enable it.
Permalink: https://github.com/Open-CAS/ocf/blob/7c8ac29ab982eb33abd42c9049fe42ddc491a7b2/env/posix/ocf_env.h#L190
Upstream: https://github.com/Open-CAS/ocf/ (ocf is embedded in ceph)
Affected copies of `ocf` are present in: openSUSE:Factory/ceph SUSE:SLFO:Main/ceph SUSE:ALP:Source:Standard:1.0/ceph SUSE:SLE-15-SP4:Update/ceph SUSE:SLE-15-SP4:GA/ceph SUSE:SLE-15-SP3:Update/ceph SUSE:SLE-15-SP2:Update/ceph SUSE:SLE-15-SP2:GA/ceph NOTE: The affected code path is *inactive* in all our ceph packages, so the fix is not urgent.
CRD: 2024-09-09 preliminary, probably earlier
Introduced by https://github.com/Open-CAS/ocf/commit/9528d1bf64cd8aefd970023af93eb0b638af7a1c
Requested a CVE from Mitre with the following justification: - Weakness: CWE-226: Sensitive Information in Resource Not Removed Before Reuse - Attack vector: OCF is a caching library intended to be embedded in multi-user systems such as Ceph. If env_secure_free() fails to clear cache metadata, information might get leaked across security boundaries. - Description: Open CAS Framework (ocf) versions 19.3.1 through 22.3.2 contains an optional SECURE_MEMORY_HANDLING mode that fails to clear freed memory.
CVE-2024-38445 was assigned by Mitre and upstream fixed the issue: https://github.com/Open-CAS/ocf/commit/5975bb8822a24e6ab5a9a59ab1d6441321c7693d Resolved.