diff options
Diffstat (limited to 'aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch')
-rw-r--r-- | aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch | 46 |
1 files changed, 0 insertions, 46 deletions
diff --git a/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch b/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch deleted file mode 100644 index 831a6a85f..000000000 --- a/aio-fix-kernel-memory-disclosure-in-io_getevents-int.patch +++ /dev/null @@ -1,46 +0,0 @@ -Bugzilla: 1112975 -Upstream-status: 3.16 and CC'd to stable - -From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001 -From: Benjamin LaHaise <bcrl@kvack.org> -Date: Tue, 24 Jun 2014 13:32:51 -0400 -Subject: [PATCH] aio: fix kernel memory disclosure in io_getevents() - introduced in v3.10 - -A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 -by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to -aio_read_events_ring() failed to correctly limit the index into -ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of -an arbitrary page with a copy_to_user() to copy the contents into userspace. -This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and -Petr for disclosing this issue. - -This patch applies to v3.12+. A separate backport is needed for 3.10/3.11. - -Signed-off-by: Benjamin LaHaise <bcrl@kvack.org> -Cc: Mateusz Guzik <mguzik@redhat.com> -Cc: Petr Matousek <pmatouse@redhat.com> -Cc: Kent Overstreet <kmo@daterainc.com> -Cc: Jeff Moyer <jmoyer@redhat.com> -Cc: stable@vger.kernel.org ---- - fs/aio.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/fs/aio.c b/fs/aio.c -index 6a9c7e489adf..955947ef3e02 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1063,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx, - if (head == tail) - goto out; - -+ head %= ctx->nr_events; -+ tail %= ctx->nr_events; -+ - while (ret < nr) { - long avail; - struct io_event *ev; --- -1.9.3 - |