Linux v4.2-rc5-42-g4e6b6ee253ce

kernel.spec

@@ -67,7 +67,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 5
 # The git snapshot level
-%define gitrev 1
+%define gitrev 2
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -584,9 +584,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch
 
 Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch
 
-# CVE-2015-5697 (rhbz 1249011 1249013)
-Patch506: md-use-kzalloc-when-bitmap-is-disabled.patch
-
 #rhbz 1244511
 Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch
 
@@ -2027,6 +2024,9 @@ fi
 #
 # 
 %changelog
+* Wed Aug 05 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.2.0-0.rc5.git2.1
+- Linux v4.2-rc5-42-g4e6b6ee253ce
+
 * Tue Aug 04 2015 Josh Boyer <jwboyer@fedoraproject.org>
 - Patch from Nicholas Kudriavtsev for Acer Switch 12 Fn keys (rhbz 1244511)
 

md-use-kzalloc-when-bitmap-is-disabled.patch

@@ -1,70 +0,0 @@
-From 77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4 Mon Sep 17 00:00:00 2001
-From: Benjamin Randazzo <benjamin@randazzo.fr>
-Date: Sat, 25 Jul 2015 16:36:50 +0200
-Subject: md: use kzalloc() when bitmap is disabled
-
-In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
-mdu_bitmap_file_t called "file".
-
-5769         file = kmalloc(sizeof(*file), GFP_NOIO);
-5770         if (!file)
-5771                 return -ENOMEM;
-
-This structure is copied to user space at the end of the function.
-
-5786         if (err == 0 &&
-5787             copy_to_user(arg, file, sizeof(*file)))
-5788                 err = -EFAULT
-
-But if bitmap is disabled only the first byte of "file" is initialized
-with zero, so it's possible to read some bytes (up to 4095) of kernel
-space memory from user space. This is an information leak.
-
-5775         /* bitmap disabled, zero the first byte and copy out */
-5776         if (!mddev->bitmap_info.file)
-5777                 file->pathname[0] = '\0';
-
-Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
-Signed-off-by: NeilBrown <neilb@suse.com>
-
-diff --git a/drivers/md/md.c b/drivers/md/md.c
-index ce4cb8b..cdc080b 100644
---- a/drivers/md/md.c
-+++ b/drivers/md/md.c
-@@ -5765,22 +5765,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
- 	char *ptr;
- 	int err;
- 
--	file = kmalloc(sizeof(*file), GFP_NOIO);
-+	file = kzalloc(sizeof(*file), GFP_NOIO);
- 	if (!file)
- 		return -ENOMEM;
- 
- 	err = 0;
- 	spin_lock(&mddev->lock);
--	/* bitmap disabled, zero the first byte and copy out */
--	if (!mddev->bitmap_info.file)
--		file->pathname[0] = '\0';
--	else if ((ptr = file_path(mddev->bitmap_info.file,
--			       file->pathname, sizeof(file->pathname))),
--		 IS_ERR(ptr))
--		err = PTR_ERR(ptr);
--	else
--		memmove(file->pathname, ptr,
--			sizeof(file->pathname)-(ptr-file->pathname));
-+	/* bitmap enabled */
-+	if (mddev->bitmap_info.file) {
-+		ptr = file_path(mddev->bitmap_info.file, file->pathname,
-+				sizeof(file->pathname));
-+		if (IS_ERR(ptr))
-+			err = PTR_ERR(ptr);
-+		else
-+			memmove(file->pathname, ptr,
-+				sizeof(file->pathname)-(ptr-file->pathname));
-+	}
- 	spin_unlock(&mddev->lock);
- 
- 	if (err == 0 &&
--- 
-cgit v0.10.2
-

sources

@@ -1,4 +1,4 @@
 fe9dc0f6729f36400ea81aa41d614c37  linux-4.1.tar.xz
 84e34c2f58901edcc5c840fe9893c02e  perf-man-4.1.tar.gz
 6715134ec734556d5212594061680c0a  patch-4.2-rc5.xz
-eb1aba6d82ff8fc53f6acf8db8bc562a  patch-4.2-rc5-git1.xz
+dae0b9d51468240b1495f00ee7328762  patch-4.2-rc5-git2.xz