[kernel] r22888 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Mon Aug 3 01:02:11 UTC 2015
Author: benh
Date: Mon Aug 3 01:02:09 2015
New Revision: 22888
Log:
md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Mon Aug 3 00:57:23 2015 (r22887)
+++ dists/wheezy-security/linux/debian/changelog Mon Aug 3 01:02:09 2015 (r22888)
@@ -6,6 +6,7 @@
* [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700)
* sg_start_req(): make sure that there's not too many elements in iovec
(CVE-2015-5707)
+ * md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 28 Jun 2015 23:37:37 +0100
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch Mon Aug 3 01:02:09 2015 (r22888)
@@ -0,0 +1,47 @@
+From: Benjamin Randazzo <benjamin at randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769 file = kmalloc(sizeof(*file), GFP_NOIO);
+5770 if (!file)
+5771 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786 if (err == 0 &&
+5787 copy_to_user(arg, file, sizeof(*file)))
+5788 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775 /* bitmap disabled, zero the first byte and copy out */
+5776 if (!mddev->bitmap_info.file)
+5777 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
+Signed-off-by: NeilBrown <neilb at suse.com>
+[bwh: Backported to 3.2:
+ - Don't touch anything but the allocation call, as the following code is
+ significantly different here
+ - Patch both possible allocation calls]
+---
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5384,9 +5384,9 @@ static int get_bitmap_file(struct mddev
+ int err = -ENOMEM;
+
+ if (md_allow_write(mddev))
+- file = kmalloc(sizeof(*file), GFP_NOIO);
++ file = kzalloc(sizeof(*file), GFP_NOIO);
+ else
+- file = kmalloc(sizeof(*file), GFP_KERNEL);
++ file = kzalloc(sizeof(*file), GFP_KERNEL);
+
+ if (!file)
+ goto out;
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Mon Aug 3 00:57:23 2015 (r22887)
+++ dists/wheezy-security/linux/debian/patches/series Mon Aug 3 01:02:09 2015 (r22888)
@@ -1174,3 +1174,4 @@
bugfix/all/sctp-fix-asconf-list-handling.patch
bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
+bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
More information about the Kernel-svn-changes
mailing list