forked from rpms/kernel
Linux v4.2-rc5-42-g4e6b6ee253ce
This commit is contained in:
Josh Boyer
parent
172dafa8ae
commit
c3a77ea556
@ -67,7 +67,7 @@ Summary: The Linux kernel
|
||||
# The rc snapshot level
|
||||
%define rcrev 5
|
||||
# The git snapshot level
|
||||
%define gitrev 1
|
||||
%define gitrev 2
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 4.%{upstream_sublevel}.0
|
||||
%endif
|
||||
@ -584,9 +584,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch
|
||||
|
||||
Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch
|
||||
|
||||
# CVE-2015-5697 (rhbz 1249011 1249013)
|
||||
Patch506: md-use-kzalloc-when-bitmap-is-disabled.patch
|
||||
|
||||
#rhbz 1244511
|
||||
Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
|
||||
|
||||
@ -2027,6 +2024,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Aug 05 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.2.0-0.rc5.git2.1
|
||||
- Linux v4.2-rc5-42-g4e6b6ee253ce
|
||||
|
||||
* Tue Aug 04 2015 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- Patch from Nicholas Kudriavtsev for Acer Switch 12 Fn keys (rhbz 1244511)
|
||||
|
||||
|
||||
@ -1,70 +0,0 @@
|
||||
From 77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Randazzo <benjamin@randazzo.fr>
|
||||
Date: Sat, 25 Jul 2015 16:36:50 +0200
|
||||
Subject: md: use kzalloc() when bitmap is disabled
|
||||
|
||||
In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
|
||||
mdu_bitmap_file_t called "file".
|
||||
|
||||
5769 file = kmalloc(sizeof(*file), GFP_NOIO);
|
||||
5770 if (!file)
|
||||
5771 return -ENOMEM;
|
||||
|
||||
This structure is copied to user space at the end of the function.
|
||||
|
||||
5786 if (err == 0 &&
|
||||
5787 copy_to_user(arg, file, sizeof(*file)))
|
||||
5788 err = -EFAULT
|
||||
|
||||
But if bitmap is disabled only the first byte of "file" is initialized
|
||||
with zero, so it's possible to read some bytes (up to 4095) of kernel
|
||||
space memory from user space. This is an information leak.
|
||||
|
||||
5775 /* bitmap disabled, zero the first byte and copy out */
|
||||
5776 if (!mddev->bitmap_info.file)
|
||||
5777 file->pathname[0] = '\0';
|
||||
|
||||
Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
|
||||
Signed-off-by: NeilBrown <neilb@suse.com>
|
||||
|
||||
diff --git a/drivers/md/md.c b/drivers/md/md.c
|
||||
index ce4cb8b..cdc080b 100644
|
||||
--- a/drivers/md/md.c
|
||||
+++ b/drivers/md/md.c
|
||||
@@ -5765,22 +5765,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
|
||||
char *ptr;
|
||||
int err;
|
||||
|
||||
- file = kmalloc(sizeof(*file), GFP_NOIO);
|
||||
+ file = kzalloc(sizeof(*file), GFP_NOIO);
|
||||
if (!file)
|
||||
return -ENOMEM;
|
||||
|
||||
err = 0;
|
||||
spin_lock(&mddev->lock);
|
||||
- /* bitmap disabled, zero the first byte and copy out */
|
||||
- if (!mddev->bitmap_info.file)
|
||||
- file->pathname[0] = '\0';
|
||||
- else if ((ptr = file_path(mddev->bitmap_info.file,
|
||||
- file->pathname, sizeof(file->pathname))),
|
||||
- IS_ERR(ptr))
|
||||
- err = PTR_ERR(ptr);
|
||||
- else
|
||||
- memmove(file->pathname, ptr,
|
||||
- sizeof(file->pathname)-(ptr-file->pathname));
|
||||
+ /* bitmap enabled */
|
||||
+ if (mddev->bitmap_info.file) {
|
||||
+ ptr = file_path(mddev->bitmap_info.file, file->pathname,
|
||||
+ sizeof(file->pathname));
|
||||
+ if (IS_ERR(ptr))
|
||||
+ err = PTR_ERR(ptr);
|
||||
+ else
|
||||
+ memmove(file->pathname, ptr,
|
||||
+ sizeof(file->pathname)-(ptr-file->pathname));
|
||||
+ }
|
||||
spin_unlock(&mddev->lock);
|
||||
|
||||
if (err == 0 &&
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
||||
Loading…
Reference in New Issue
Block a user