[linux] 10/11: mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Apr 26 23:25:02 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 7d433a90047ceea3ed17de1a2ea6ac8b342f7fe1
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Apr 26 23:48:36 2017 +0100

    mm/mempolicy.c: fix error handling in set_mempolicy and mbind (CVE-2017-7616)
---
 debian/changelog                                   |  2 +
 ...y.c-fix-error-handling-in-set_mempolicy-a.patch | 72 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 75 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e86948e..e05176a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -189,6 +189,8 @@ linux (3.2.88-1) UNRELEASED; urgency=medium
   * net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
   * KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
     (CVE-2017-7472)
+  * mm/mempolicy.c: fix error handling in set_mempolicy and mbind
+    (CVE-2017-7616)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 13 Mar 2017 23:12:35 +0000
 
diff --git a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
new file mode 100644
index 0000000..c1d314c
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
@@ -0,0 +1,72 @@
+From: Chris Salls <salls at cs.ucsb.edu>
+Date: Fri, 7 Apr 2017 23:48:11 -0700
+Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
+Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7616
+
+In the case that compat_get_bitmap fails we do not want to copy the
+bitmap to the user as it will contain uninitialized stack data and leak
+sensitive data.
+
+Signed-off-by: Chris Salls <salls at cs.ucsb.edu>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ mm/mempolicy.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1446,7 +1446,6 @@ asmlinkage long compat_sys_get_mempolicy
+ asmlinkage long compat_sys_set_mempolicy(int mode, compat_ulong_t __user *nmask,
+ 				     compat_ulong_t maxnode)
+ {
+-	long err = 0;
+ 	unsigned long __user *nm = NULL;
+ 	unsigned long nr_bits, alloc_size;
+ 	DECLARE_BITMAP(bm, MAX_NUMNODES);
+@@ -1455,14 +1454,13 @@ asmlinkage long compat_sys_set_mempolicy
+ 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+ 
+ 	if (nmask) {
+-		err = compat_get_bitmap(bm, nmask, nr_bits);
++		if (compat_get_bitmap(bm, nmask, nr_bits))
++			return -EFAULT;
+ 		nm = compat_alloc_user_space(alloc_size);
+-		err |= copy_to_user(nm, bm, alloc_size);
++		if (copy_to_user(nm, bm, alloc_size))
++			return -EFAULT;
+ 	}
+ 
+-	if (err)
+-		return -EFAULT;
+-
+ 	return sys_set_mempolicy(mode, nm, nr_bits+1);
+ }
+ 
+@@ -1470,7 +1468,6 @@ asmlinkage long compat_sys_mbind(compat_
+ 			     compat_ulong_t mode, compat_ulong_t __user *nmask,
+ 			     compat_ulong_t maxnode, compat_ulong_t flags)
+ {
+-	long err = 0;
+ 	unsigned long __user *nm = NULL;
+ 	unsigned long nr_bits, alloc_size;
+ 	nodemask_t bm;
+@@ -1479,14 +1476,13 @@ asmlinkage long compat_sys_mbind(compat_
+ 	alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+ 
+ 	if (nmask) {
+-		err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
++		if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
++			return -EFAULT;
+ 		nm = compat_alloc_user_space(alloc_size);
+-		err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
++		if (copy_to_user(nm, nodes_addr(bm), alloc_size))
++			return -EFAULT;
+ 	}
+ 
+-	if (err)
+-		return -EFAULT;
+-
+ 	return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index eceba54..e4e860d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1121,6 +1121,7 @@ bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
 bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
 bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
+bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list