[linux] 10/11: mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Apr 26 23:25:02 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 7d433a90047ceea3ed17de1a2ea6ac8b342f7fe1
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Apr 26 23:48:36 2017 +0100
mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616)
---
debian/changelog | 2 +
...y.c-fix-error-handling-in-set_mempolicy-a.patch | 72 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 75 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index e86948e..e05176a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -189,6 +189,8 @@ linux (3.2.88-1) UNRELEASED; urgency=medium
* net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
* KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
(CVE-2017-7472)
+ * mm/mempolicy.c: fix error handling in set_mempolicy and mbind
+ (CVE-2017-7616)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 13 Mar 2017 23:12:35 +0000
diff --git a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
new file mode 100644
index 0000000..c1d314c
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
@@ -0,0 +1,72 @@
+From: Chris Salls <salls at cs.ucsb.edu>
+Date: Fri, 7 Apr 2017 23:48:11 -0700
+Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
+Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7616
+
+In the case that compat_get_bitmap fails we do not want to copy the
+bitmap to the user as it will contain uninitialized stack data and leak
+sensitive data.
+
+Signed-off-by: Chris Salls <salls at cs.ucsb.edu>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ mm/mempolicy.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1446,7 +1446,6 @@ asmlinkage long compat_sys_get_mempolicy
+ asmlinkage long compat_sys_set_mempolicy(int mode, compat_ulong_t __user *nmask,
+ compat_ulong_t maxnode)
+ {
+- long err = 0;
+ unsigned long __user *nm = NULL;
+ unsigned long nr_bits, alloc_size;
+ DECLARE_BITMAP(bm, MAX_NUMNODES);
+@@ -1455,14 +1454,13 @@ asmlinkage long compat_sys_set_mempolicy
+ alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+
+ if (nmask) {
+- err = compat_get_bitmap(bm, nmask, nr_bits);
++ if (compat_get_bitmap(bm, nmask, nr_bits))
++ return -EFAULT;
+ nm = compat_alloc_user_space(alloc_size);
+- err |= copy_to_user(nm, bm, alloc_size);
++ if (copy_to_user(nm, bm, alloc_size))
++ return -EFAULT;
+ }
+
+- if (err)
+- return -EFAULT;
+-
+ return sys_set_mempolicy(mode, nm, nr_bits+1);
+ }
+
+@@ -1470,7 +1468,6 @@ asmlinkage long compat_sys_mbind(compat_
+ compat_ulong_t mode, compat_ulong_t __user *nmask,
+ compat_ulong_t maxnode, compat_ulong_t flags)
+ {
+- long err = 0;
+ unsigned long __user *nm = NULL;
+ unsigned long nr_bits, alloc_size;
+ nodemask_t bm;
+@@ -1479,14 +1476,13 @@ asmlinkage long compat_sys_mbind(compat_
+ alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+
+ if (nmask) {
+- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
++ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
++ return -EFAULT;
+ nm = compat_alloc_user_space(alloc_size);
+- err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
++ if (copy_to_user(nm, nodes_addr(bm), alloc_size))
++ return -EFAULT;
+ }
+
+- if (err)
+- return -EFAULT;
+-
+ return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index eceba54..e4e860d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1121,6 +1121,7 @@ bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
+bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list