rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)

Browse Source
This commit is contained in:
Josh Boyer 2015-08-03 20:20:41 -04:00
parent f2e2f136a7
commit dba6c5bc71
2 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
kernel.spec
View File

@ -584,6 +584,9 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch
Patch505: 0001-Revert-dm-fix-casting-bug-in-dm_merge_bvec.patch Patch505: 0001-Revert-dm-fix-casting-bug-in-dm_merge_bvec.patch
# CVE-2015-5697 (rhbz 1249011 1249013)
Patch506: md-use-kzalloc-when-bitmap-is-disabled.patch
Patch904: kdbus.patch Patch904: kdbus.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
@ -2021,6 +2024,9 @@ fi
# #
# #
%changelog %changelog
* Mon Aug 03 2015 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)
* Mon Aug 03 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.2.0-0.rc5.git0.1 * Mon Aug 03 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.2.0-0.rc5.git0.1
- Linux v4.2-rc5 - Linux v4.2-rc5
- Disable debugging options. - Disable debugging options.

70
md-use-kzalloc-when-bitmap-is-disabled.patch Normal file
View File

@ -0,0 +1,70 @@
From 77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4 Mon Sep 17 00:00:00 2001
From: Benjamin Randazzo <benjamin@randazzo.fr>
Date: Sat, 25 Jul 2015 16:36:50 +0200
Subject: md: use kzalloc() when bitmap is disabled
In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
mdu_bitmap_file_t called "file".
5769 file = kmalloc(sizeof(*file), GFP_NOIO);
5770 if (!file)
5771 return -ENOMEM;
This structure is copied to user space at the end of the function.
5786 if (err == 0 &&
5787 copy_to_user(arg, file, sizeof(*file)))
5788 err = -EFAULT
But if bitmap is disabled only the first byte of "file" is initialized
with zero, so it's possible to read some bytes (up to 4095) of kernel
space memory from user space. This is an information leak.
5775 /* bitmap disabled, zero the first byte and copy out */
5776 if (!mddev->bitmap_info.file)
5777 file->pathname[0] = '\0';
Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
Signed-off-by: NeilBrown <neilb@suse.com>
diff --git a/drivers/md/md.c b/drivers/md/md.c
index ce4cb8b..cdc080b 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5765,22 +5765,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
char *ptr;
int err;
- file = kmalloc(sizeof(*file), GFP_NOIO);
+ file = kzalloc(sizeof(*file), GFP_NOIO);
if (!file)
return -ENOMEM;
err = 0;
spin_lock(&mddev->lock);
- /* bitmap disabled, zero the first byte and copy out */
- if (!mddev->bitmap_info.file)
- file->pathname[0] = '\0';
- else if ((ptr = file_path(mddev->bitmap_info.file,
- file->pathname, sizeof(file->pathname))),
- IS_ERR(ptr))
- err = PTR_ERR(ptr);
- else
- memmove(file->pathname, ptr,
- sizeof(file->pathname)-(ptr-file->pathname));
+ /* bitmap enabled */
+ if (mddev->bitmap_info.file) {
+ ptr = file_path(mddev->bitmap_info.file, file->pathname,
+ sizeof(file->pathname));
+ if (IS_ERR(ptr))
+ err = PTR_ERR(ptr);
+ else
+ memmove(file->pathname, ptr,
+ sizeof(file->pathname)-(ptr-file->pathname));
+ }
spin_unlock(&mddev->lock);
if (err == 0 &&
--
cgit v0.10.2