[kernel] r22887 - in dists/jessie-security/linux/debian: . patches patches/bugfix/all

Mon Aug 3 00:57:23 UTC 2015

Author: benh
Date: Mon Aug  3 00:57:23 2015
New Revision: 22887

Log:
md: use kzalloc() when bitmap is disabled (CVE-2015-5697)

Added:
   dists/jessie-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
Modified:
   dists/jessie-security/linux/debian/changelog
   dists/jessie-security/linux/debian/patches/series

Modified: dists/jessie-security/linux/debian/changelog
==============================================================================

--- dists/jessie-security/linux/debian/changelog	Mon Aug  3 00:38:33 2015	(r22886)
+++ dists/jessie-security/linux/debian/changelog	Mon Aug  3 00:57:23 2015	(r22887)
@@ -7,6 +7,7 @@
   * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700)
   * sg_start_req(): make sure that there's not too many elements in iovec
     (CVE-2015-5707)
+  * md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 26 Jul 2015 20:37:03 +0100
 

Added: dists/jessie-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/jessie-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch	Mon Aug  3 00:57:23 2015	(r22887)
@@ -0,0 +1,42 @@
+From: Benjamin Randazzo <benjamin at randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769         file = kmalloc(sizeof(*file), GFP_NOIO);
+5770         if (!file)
+5771                 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786         if (err == 0 &&
+5787             copy_to_user(arg, file, sizeof(*file)))
+5788                 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775         /* bitmap disabled, zero the first byte and copy out */
+5776         if (!mddev->bitmap_info.file)
+5777                 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
+Signed-off-by: NeilBrown <neilb at suse.com>
+[bwh: Backported to 3.16: don't touch anything but the allocation call, as
+ the following code is significantly different here.]
+---
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5624,7 +5624,7 @@ static int get_bitmap_file(struct mddev
+ 	char *ptr, *buf = NULL;
+ 	int err = -ENOMEM;
+ 
+-	file = kmalloc(sizeof(*file), GFP_NOIO);
++	file = kzalloc(sizeof(*file), GFP_NOIO);
+ 
+ 	if (!file)
+ 		goto out;

Modified: dists/jessie-security/linux/debian/patches/series
==============================================================================
--- dists/jessie-security/linux/debian/patches/series	Mon Aug  3 00:38:33 2015	(r22886)
+++ dists/jessie-security/linux/debian/patches/series	Mon Aug  3 00:57:23 2015	(r22887)
@@ -639,3 +639,4 @@
 bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
 bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
 bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
+bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch

