diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-08-03 20:20:41 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-08-03 20:25:56 -0400 |
commit | dba6c5bc710a29758b9177c51c1be48c981da99a (patch) | |
tree | cd51d1e8fc6f36718e79ee2dc53225998cf11572 /md-use-kzalloc-when-bitmap-is-disabled.patch | |
parent | f2e2f136a7681e774a2733ba7b11cf4c2d368d77 (diff) | |
download | kernel-dba6c5bc710a29758b9177c51c1be48c981da99a.tar.gz kernel-dba6c5bc710a29758b9177c51c1be48c981da99a.tar.xz kernel-dba6c5bc710a29758b9177c51c1be48c981da99a.zip |
CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)
Diffstat (limited to 'md-use-kzalloc-when-bitmap-is-disabled.patch')
-rw-r--r-- | md-use-kzalloc-when-bitmap-is-disabled.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/md-use-kzalloc-when-bitmap-is-disabled.patch b/md-use-kzalloc-when-bitmap-is-disabled.patch new file mode 100644 index 000000000..fded7a2db --- /dev/null +++ b/md-use-kzalloc-when-bitmap-is-disabled.patch @@ -0,0 +1,70 @@ +From 77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4 Mon Sep 17 00:00:00 2001 +From: Benjamin Randazzo <benjamin@randazzo.fr> +Date: Sat, 25 Jul 2015 16:36:50 +0200 +Subject: md: use kzalloc() when bitmap is disabled + +In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a +mdu_bitmap_file_t called "file". + +5769 file = kmalloc(sizeof(*file), GFP_NOIO); +5770 if (!file) +5771 return -ENOMEM; + +This structure is copied to user space at the end of the function. + +5786 if (err == 0 && +5787 copy_to_user(arg, file, sizeof(*file))) +5788 err = -EFAULT + +But if bitmap is disabled only the first byte of "file" is initialized +with zero, so it's possible to read some bytes (up to 4095) of kernel +space memory from user space. This is an information leak. + +5775 /* bitmap disabled, zero the first byte and copy out */ +5776 if (!mddev->bitmap_info.file) +5777 file->pathname[0] = '\0'; + +Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> +Signed-off-by: NeilBrown <neilb@suse.com> + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index ce4cb8b..cdc080b 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5765,22 +5765,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) + char *ptr; + int err; + +- file = kmalloc(sizeof(*file), GFP_NOIO); ++ file = kzalloc(sizeof(*file), GFP_NOIO); + if (!file) + return -ENOMEM; + + err = 0; + spin_lock(&mddev->lock); +- /* bitmap disabled, zero the first byte and copy out */ +- if (!mddev->bitmap_info.file) +- file->pathname[0] = '\0'; +- else if ((ptr = file_path(mddev->bitmap_info.file, +- file->pathname, sizeof(file->pathname))), +- IS_ERR(ptr)) +- err = PTR_ERR(ptr); +- else +- memmove(file->pathname, ptr, +- sizeof(file->pathname)-(ptr-file->pathname)); ++ /* bitmap enabled */ ++ if (mddev->bitmap_info.file) { ++ ptr = file_path(mddev->bitmap_info.file, file->pathname, ++ sizeof(file->pathname)); ++ if (IS_ERR(ptr)) ++ err = PTR_ERR(ptr); ++ else ++ memmove(file->pathname, ptr, ++ sizeof(file->pathname)-(ptr-file->pathname)); ++ } + spin_unlock(&mddev->lock); + + if (err == 0 && +-- +cgit v0.10.2 + |