[kernel] r22886 - in dists/trunk/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Mon Aug 3 00:38:33 UTC 2015
Author: benh
Date: Mon Aug 3 00:38:33 2015
New Revision: 22886
Log:
md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
Added:
dists/trunk/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
Modified:
dists/trunk/linux/debian/changelog
dists/trunk/linux/debian/patches/series
Modified: dists/trunk/linux/debian/changelog
==============================================================================
--- dists/trunk/linux/debian/changelog Sun Aug 2 22:08:54 2015 (r22885)
+++ dists/trunk/linux/debian/changelog Mon Aug 3 00:38:33 2015 (r22886)
@@ -15,6 +15,7 @@
ALIX, NET5501, GEOS (Closes: #734204)
* [s390x] cachinfo: add missing facility check to init_cache_level()
(Closes: #793929)
+ * md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
[ Ian Campbell ]
* [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin.
Added: dists/trunk/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch Mon Aug 3 00:38:33 2015 (r22886)
@@ -0,0 +1,69 @@
+From: Benjamin Randazzo <benjamin at randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769 file = kmalloc(sizeof(*file), GFP_NOIO);
+5770 if (!file)
+5771 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786 if (err == 0 &&
+5787 copy_to_user(arg, file, sizeof(*file)))
+5788 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775 /* bitmap disabled, zero the first byte and copy out */
+5776 if (!mddev->bitmap_info.file)
+5777 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
+Signed-off-by: NeilBrown <neilb at suse.com>
+[bwh: Backported to 4.1: using d_path() instead of file_path()]
+---
+ drivers/md/md.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5735,22 +5735,22 @@ static int get_bitmap_file(struct mddev
+ char *ptr;
+ int err;
+
+- file = kmalloc(sizeof(*file), GFP_NOIO);
++ file = kzalloc(sizeof(*file), GFP_NOIO);
+ if (!file)
+ return -ENOMEM;
+
+ err = 0;
+ spin_lock(&mddev->lock);
+- /* bitmap disabled, zero the first byte and copy out */
+- if (!mddev->bitmap_info.file)
+- file->pathname[0] = '\0';
+- else if ((ptr = d_path(&mddev->bitmap_info.file->f_path,
+- file->pathname, sizeof(file->pathname))),
+- IS_ERR(ptr))
+- err = PTR_ERR(ptr);
+- else
+- memmove(file->pathname, ptr,
+- sizeof(file->pathname)-(ptr-file->pathname));
++ /* bitmap enabled */
++ if (mddev->bitmap_info.file) {
++ ptr = d_path(&mddev->bitmap_info.file->f_path, file->pathname,
++ sizeof(file->pathname));
++ if (IS_ERR(ptr))
++ err = PTR_ERR(ptr);
++ else
++ memmove(file->pathname, ptr,
++ sizeof(file->pathname)-(ptr-file->pathname));
++ }
+ spin_unlock(&mddev->lock);
+
+ if (err == 0 &&
Modified: dists/trunk/linux/debian/patches/series
==============================================================================
--- dists/trunk/linux/debian/patches/series Sun Aug 2 22:08:54 2015 (r22885)
+++ dists/trunk/linux/debian/patches/series Mon Aug 3 00:38:33 2015 (r22886)
@@ -89,3 +89,4 @@
bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch
+bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
More information about the Kernel-svn-changes
mailing list