[linux] 06/07: mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Apr 19 17:58:41 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit bd9e014e12266c2ef4b5316f3da910c1d82b034d
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Apr 19 18:52:06 2017 +0100

    mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616)
---
 debian/changelog                                   |  2 +
 ...y.c-fix-error-handling-in-set_mempolicy-a.patch | 72 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 75 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 9ee5a90..9fa3c8b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -603,6 +603,8 @@ linux (3.16.43-1) UNRELEASED; urgency=medium
   * [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
     (CVE-2017-7294)
   * net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
+  * mm/mempolicy.c: fix error handling in set_mempolicy and mbind
+    (CVE-2017-7616)
 
   [ Salvatore Bonaccorso ]
   * sunrpc: fix refcounting problems with auth_gss messages.
diff --git a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
new file mode 100644
index 0000000..2343369
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
@@ -0,0 +1,72 @@
+From: Chris Salls <salls at cs.ucsb.edu>
+Date: Fri, 7 Apr 2017 23:48:11 -0700
+Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
+Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7616
+
+In the case that compat_get_bitmap fails we do not want to copy the
+bitmap to the user as it will contain uninitialized stack data and leak
+sensitive data.
+
+Signed-off-by: Chris Salls <salls at cs.ucsb.edu>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ mm/mempolicy.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1559,7 +1559,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, in
+ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
+ 		       compat_ulong_t, maxnode)
+ {
+-	long err = 0;
+ 	unsigned long __user *nm = NULL;
+ 	unsigned long nr_bits, alloc_size;
+ 	DECLARE_BITMAP(bm, MAX_NUMNODES);
+@@ -1568,14 +1567,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, in
+ 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+ 
+ 	if (nmask) {
+-		err = compat_get_bitmap(bm, nmask, nr_bits);
++		if (compat_get_bitmap(bm, nmask, nr_bits))
++			return -EFAULT;
+ 		nm = compat_alloc_user_space(alloc_size);
+-		err |= copy_to_user(nm, bm, alloc_size);
++		if (copy_to_user(nm, bm, alloc_size))
++			return -EFAULT;
+ 	}
+ 
+-	if (err)
+-		return -EFAULT;
+-
+ 	return sys_set_mempolicy(mode, nm, nr_bits+1);
+ }
+ 
+@@ -1583,7 +1581,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulo
+ 		       compat_ulong_t, mode, compat_ulong_t __user *, nmask,
+ 		       compat_ulong_t, maxnode, compat_ulong_t, flags)
+ {
+-	long err = 0;
+ 	unsigned long __user *nm = NULL;
+ 	unsigned long nr_bits, alloc_size;
+ 	nodemask_t bm;
+@@ -1592,14 +1589,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulo
+ 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+ 
+ 	if (nmask) {
+-		err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
++		if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
++			return -EFAULT;
+ 		nm = compat_alloc_user_space(alloc_size);
+-		err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
++		if (copy_to_user(nm, nodes_addr(bm), alloc_size))
++			return -EFAULT;
+ 	}
+ 
+-	if (err)
+-		return -EFAULT;
+-
+ 	return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 82981ef..2a23f89 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -683,6 +683,7 @@ bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
+bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list