From f3a0728b97d6594ac468e3da2ec5ea931f5361f8 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 3 Aug 2015 00:38:33 +0000 Subject: [PATCH] md: use kzalloc() when bitmap is disabled (CVE-2015-5697) svn path=/dists/trunk/linux/; revision=22886 --- debian/changelog | 1 + ...-use-kzalloc-when-bitmap-is-disabled.patch | 69 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 71 insertions(+) create mode 100644 debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch diff --git a/debian/changelog b/debian/changelog index 9ffe0dd37..eeae139e5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,6 +15,7 @@ linux (4.1.3-1) UNRELEASED; urgency=medium ALIX, NET5501, GEOS (Closes: #734204) * [s390x] cachinfo: add missing facility check to init_cache_level() (Closes: #793929) + * md: use kzalloc() when bitmap is disabled (CVE-2015-5697) [ Ian Campbell ] * [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin. diff --git a/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch b/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch new file mode 100644 index 000000000..5a7e204ae --- /dev/null +++ b/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch @@ -0,0 +1,69 @@ +From: Benjamin Randazzo +Date: Sat, 25 Jul 2015 16:36:50 +0200 +Subject: md: use kzalloc() when bitmap is disabled +Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4 + +In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a +mdu_bitmap_file_t called "file". + +5769 file = kmalloc(sizeof(*file), GFP_NOIO); +5770 if (!file) +5771 return -ENOMEM; + +This structure is copied to user space at the end of the function. + +5786 if (err == 0 && +5787 copy_to_user(arg, file, sizeof(*file))) +5788 err = -EFAULT + +But if bitmap is disabled only the first byte of "file" is initialized +with zero, so it's possible to read some bytes (up to 4095) of kernel +space memory from user space. This is an information leak. + +5775 /* bitmap disabled, zero the first byte and copy out */ +5776 if (!mddev->bitmap_info.file) +5777 file->pathname[0] = '\0'; + +Signed-off-by: Benjamin Randazzo +Signed-off-by: NeilBrown +[bwh: Backported to 4.1: using d_path() instead of file_path()] +--- + drivers/md/md.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5735,22 +5735,22 @@ static int get_bitmap_file(struct mddev + char *ptr; + int err; + +- file = kmalloc(sizeof(*file), GFP_NOIO); ++ file = kzalloc(sizeof(*file), GFP_NOIO); + if (!file) + return -ENOMEM; + + err = 0; + spin_lock(&mddev->lock); +- /* bitmap disabled, zero the first byte and copy out */ +- if (!mddev->bitmap_info.file) +- file->pathname[0] = '\0'; +- else if ((ptr = d_path(&mddev->bitmap_info.file->f_path, +- file->pathname, sizeof(file->pathname))), +- IS_ERR(ptr)) +- err = PTR_ERR(ptr); +- else +- memmove(file->pathname, ptr, +- sizeof(file->pathname)-(ptr-file->pathname)); ++ /* bitmap enabled */ ++ if (mddev->bitmap_info.file) { ++ ptr = d_path(&mddev->bitmap_info.file->f_path, file->pathname, ++ sizeof(file->pathname)); ++ if (IS_ERR(ptr)) ++ err = PTR_ERR(ptr); ++ else ++ memmove(file->pathname, ptr, ++ sizeof(file->pathname)-(ptr-file->pathname)); ++ } + spin_unlock(&mddev->lock); + + if (err == 0 && diff --git a/debian/patches/series b/debian/patches/series index dd405e883..41bb2dfaa 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -89,3 +89,4 @@ bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch +bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch