[kernel] r22886 - in dists/trunk/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at moszumanska.debian.org
Mon Aug 3 00:38:33 UTC 2015 

Author: benh
Date: Mon Aug  3 00:38:33 2015
New Revision: 22886

Log:
md: use kzalloc() when bitmap is disabled (CVE-2015-5697)

Added:
   dists/trunk/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
Modified:
   dists/trunk/linux/debian/changelog
   dists/trunk/linux/debian/patches/series

Modified: dists/trunk/linux/debian/changelog
==============================================================================
--- dists/trunk/linux/debian/changelog	Sun Aug  2 22:08:54 2015	(r22885)
+++ dists/trunk/linux/debian/changelog	Mon Aug  3 00:38:33 2015	(r22886)
@@ -15,6 +15,7 @@
     ALIX, NET5501, GEOS (Closes: #734204)
   * [s390x] cachinfo: add missing facility check to init_cache_level()
     (Closes: #793929)
+  * md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
 
   [ Ian Campbell ]
   * [armhf] Set CONFIG_ARM_TEGRA_CPUFREQ as builtin.

Added: dists/trunk/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch	Mon Aug  3 00:38:33 2015	(r22886)
@@ -0,0 +1,69 @@
+From: Benjamin Randazzo <benjamin at randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769         file = kmalloc(sizeof(*file), GFP_NOIO);
+5770         if (!file)
+5771                 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786         if (err == 0 &&
+5787             copy_to_user(arg, file, sizeof(*file)))
+5788                 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775         /* bitmap disabled, zero the first byte and copy out */
+5776         if (!mddev->bitmap_info.file)
+5777                 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
+Signed-off-by: NeilBrown <neilb at suse.com>
+[bwh: Backported to 4.1: using d_path() instead of file_path()]
+---
+ drivers/md/md.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5735,22 +5735,22 @@ static int get_bitmap_file(struct mddev
+ 	char *ptr;
+ 	int err;
+ 
+-	file = kmalloc(sizeof(*file), GFP_NOIO);
++	file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	if (!file)
+ 		return -ENOMEM;
+ 
+ 	err = 0;
+ 	spin_lock(&mddev->lock);
+-	/* bitmap disabled, zero the first byte and copy out */
+-	if (!mddev->bitmap_info.file)
+-		file->pathname[0] = '\0';
+-	else if ((ptr = d_path(&mddev->bitmap_info.file->f_path,
+-			       file->pathname, sizeof(file->pathname))),
+-		 IS_ERR(ptr))
+-		err = PTR_ERR(ptr);
+-	else
+-		memmove(file->pathname, ptr,
+-			sizeof(file->pathname)-(ptr-file->pathname));
++	/* bitmap enabled */
++	if (mddev->bitmap_info.file) {
++		ptr = d_path(&mddev->bitmap_info.file->f_path, file->pathname,
++			     sizeof(file->pathname));
++		if (IS_ERR(ptr))
++			err = PTR_ERR(ptr);
++		else
++			memmove(file->pathname, ptr,
++				sizeof(file->pathname)-(ptr-file->pathname));
++	}
+ 	spin_unlock(&mddev->lock);
+ 
+ 	if (err == 0 &&

Modified: dists/trunk/linux/debian/patches/series
==============================================================================
--- dists/trunk/linux/debian/patches/series	Sun Aug  2 22:08:54 2015	(r22885)
+++ dists/trunk/linux/debian/patches/series	Mon Aug  3 00:38:33 2015	(r22886)
@@ -89,3 +89,4 @@
 bugfix/x86/0009-x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
 bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
 bugfix/s390/s390-cachinfo-add-missing-facility-check-to-init_cache_level.patch
+bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch

More information about the Kernel-svn-changes mailing list