[kernel] r22889 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Ben Hutchings]

Author: benh
Date: Mon Aug  3 01:03:28 2015
New Revision: 22889

Log:
md: use kzalloc() when bitmap is disabled (CVE-2015-5697)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze14

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Mon Aug  3 01:02:09 2015	(r22888)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Mon Aug  3 01:03:28 2015	(r22889)
@@ -6,6 +6,7 @@
     (CVE-2015-5707)
   * crypto: testmgr - update LZO compression test vectors
     (regression in 2.6.32.64)
+  * md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 28 Jun 2015 23:23:19 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch	Mon Aug  3 01:03:28 2015	(r22889)
@@ -0,0 +1,47 @@
+From: Benjamin Randazzo <benjamin at randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769         file = kmalloc(sizeof(*file), GFP_NOIO);
+5770         if (!file)
+5771                 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786         if (err == 0 &&
+5787             copy_to_user(arg, file, sizeof(*file)))
+5788                 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775         /* bitmap disabled, zero the first byte and copy out */
+5776         if (!mddev->bitmap_info.file)
+5777                 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
+Signed-off-by: NeilBrown <neilb at suse.com>
+[bwh: Backported to 3.2:
+ - Don't touch anything but the allocation call, as the following code is
+   significantly different here
+ - Patch both possible allocation calls]
+---
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -4683,9 +4683,9 @@ static int get_bitmap_file(struct mddev
+ 	int err = -ENOMEM;
+ 
+ 	if (md_allow_write(mddev))
+-		file = kmalloc(sizeof(*file), GFP_NOIO);
++		file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	else
+-		file = kmalloc(sizeof(*file), GFP_KERNEL);
++		file = kzalloc(sizeof(*file), GFP_KERNEL);
+ 
+ 	if (!file)
+ 		goto out;

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze14
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze14	Mon Aug  3 01:02:09 2015	(r22888)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze14	Mon Aug  3 01:03:28 2015	(r22889)
@@ -1,3 +1,4 @@
 + bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
 + bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
 + bugfix/all/crypto-testmgr-update-lzo-compression-test-vectors.patch
++ bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch