md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
svn path=/dists/trunk/linux/; revision=22886
This commit is contained in:
parent
890d5dc0aa
commit
f3a0728b97
|
@ -15,6 +15,7 @@ linux (4.1.3-1) UNRELEASED; urgency=medium
|
||||||
ALIX, NET5501, GEOS (Closes: #734204)
|
ALIX, NET5501, GEOS (Closes: #734204)
|
||||||
* [s390x] cachinfo: add missing facility check to init_cache_level()
|
* [s390x] cachinfo: add missing facility check to init_cache_level()
|
||||||
(Closes: #793929)
|
(Closes: #793929)
|
||||||
|
* md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
|
||||||
|
|
||||||
[ Ian Campbell ]
|
[ Ian Campbell ]
|
||||||
* [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin.
|
* [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin.
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
From: Benjamin Randazzo <benjamin@randazzo.fr>
|
||||||
|
Date: Sat, 25 Jul 2015 16:36:50 +0200
|
||||||
|
Subject: md: use kzalloc() when bitmap is disabled
|
||||||
|
Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
|
||||||
|
|
||||||
|
In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
|
||||||
|
mdu_bitmap_file_t called "file".
|
||||||
|
|
||||||
|
5769 file = kmalloc(sizeof(*file), GFP_NOIO);
|
||||||
|
5770 if (!file)
|
||||||
|
5771 return -ENOMEM;
|
||||||
|
|
||||||
|
This structure is copied to user space at the end of the function.
|
||||||
|
|
||||||
|
5786 if (err == 0 &&
|
||||||
|
5787 copy_to_user(arg, file, sizeof(*file)))
|
||||||
|
5788 err = -EFAULT
|
||||||
|
|
||||||
|
But if bitmap is disabled only the first byte of "file" is initialized
|
||||||
|
with zero, so it's possible to read some bytes (up to 4095) of kernel
|
||||||
|
space memory from user space. This is an information leak.
|
||||||
|
|
||||||
|
5775 /* bitmap disabled, zero the first byte and copy out */
|
||||||
|
5776 if (!mddev->bitmap_info.file)
|
||||||
|
5777 file->pathname[0] = '\0';
|
||||||
|
|
||||||
|
Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
|
||||||
|
Signed-off-by: NeilBrown <neilb@suse.com>
|
||||||
|
[bwh: Backported to 4.1: using d_path() instead of file_path()]
|
||||||
|
---
|
||||||
|
drivers/md/md.c | 22 +++++++++++-----------
|
||||||
|
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
--- a/drivers/md/md.c
|
||||||
|
+++ b/drivers/md/md.c
|
||||||
|
@@ -5735,22 +5735,22 @@ static int get_bitmap_file(struct mddev
|
||||||
|
char *ptr;
|
||||||
|
int err;
|
||||||
|
|
||||||
|
- file = kmalloc(sizeof(*file), GFP_NOIO);
|
||||||
|
+ file = kzalloc(sizeof(*file), GFP_NOIO);
|
||||||
|
if (!file)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
err = 0;
|
||||||
|
spin_lock(&mddev->lock);
|
||||||
|
- /* bitmap disabled, zero the first byte and copy out */
|
||||||
|
- if (!mddev->bitmap_info.file)
|
||||||
|
- file->pathname[0] = '\0';
|
||||||
|
- else if ((ptr = d_path(&mddev->bitmap_info.file->f_path,
|
||||||
|
- file->pathname, sizeof(file->pathname))),
|
||||||
|
- IS_ERR(ptr))
|
||||||
|
- err = PTR_ERR(ptr);
|
||||||
|
- else
|
||||||
|
- memmove(file->pathname, ptr,
|
||||||
|
- sizeof(file->pathname)-(ptr-file->pathname));
|
||||||
|
+ /* bitmap enabled */
|
||||||
|
+ if (mddev->bitmap_info.file) {
|
||||||
|
+ ptr = d_path(&mddev->bitmap_info.file->f_path, file->pathname,
|
||||||
|
+ sizeof(file->pathname));
|
||||||
|
+ if (IS_ERR(ptr))
|
||||||
|
+ err = PTR_ERR(ptr);
|
||||||
|
+ else
|
||||||
|
+ memmove(file->pathname, ptr,
|
||||||
|
+ sizeof(file->pathname)-(ptr-file->pathname));
|
||||||
|
+ }
|
||||||
|
spin_unlock(&mddev->lock);
|
||||||
|
|
||||||
|
if (err == 0 &&
|
|
@ -89,3 +89,4 @@ bugfix/x86/0008-x86-nmi-64-Reorder-nested-NMI-checks.patch
|
||||||
bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
|
bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
|
||||||
bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
|
bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
|
||||||
bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch
|
bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch
|
||||||
|
bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
|
||||||
|
|
Loading…
Reference in New Issue