CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)

2015-08-03 20:20:41 -04:00 · 2015-08-03 20:20:41 -04:00 · 6075fa24e0
parent e7a2da13e8
commit 6075fa24e0
2 changed files with 80 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -636,6 +636,9 @@ Patch26260: x86-nmi-64-Improve-nested-NMI-comments.patch
 Patch26261: x86-nmi-64-Reorder-nested-NMI-checks.patch
 Patch26262: x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch

+# CVE-2015-5697 (rhbz 1249011 1249013)
+Patch26263: md-use-kzalloc-when-bitmap-is-disabled.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1390,6 +1393,9 @@ ApplyPatch x86-nmi-64-Improve-nested-NMI-comments.patch
 ApplyPatch x86-nmi-64-Reorder-nested-NMI-checks.patch
 ApplyPatch x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch

+# CVE-2015-5697 (rhbz 1249011 1249013)
+ApplyPatch md-use-kzalloc-when-bitmap-is-disabled.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2242,6 +2248,7 @@ fi
 %changelog
 * Mon Aug 03 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.1.4-200
 - Linux v4.1.4
+- CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)

 * Wed Jul 29 2015 Laura Abbott <labbott@redhat.com> - 4.1.3-201
 - tag and build for CVE fixes
--- a/md-use-kzalloc-when-bitmap-is-disabled.patch
+++ b/md-use-kzalloc-when-bitmap-is-disabled.patch
@ -0,0 +1,73 @@
+From 28af19ef1eaa703bbbeff1022194a7e29c4d7ec3 Mon Sep 17 00:00:00 2001
+From: Benjamin Randazzo <benjamin@randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: [PATCH] md: use kzalloc() when bitmap is disabled
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769         file = kmalloc(sizeof(*file), GFP_NOIO);
+5770         if (!file)
+5771                 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786         if (err == 0 &&
+5787             copy_to_user(arg, file, sizeof(*file)))
+5788                 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775         /* bitmap disabled, zero the first byte and copy out */
+5776         if (!mddev->bitmap_info.file)
+5777                 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
+Signed-off-by: NeilBrown <neilb@suse.com>
+---
+ drivers/md/md.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index b9200282fd77..90fa5fcb412f 100644
+--- a/drivers/md/md.c
+++ b/drivers/md/md.c
+@@ -5740,22 +5740,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
+ 	char *ptr;
+ 	int err;
+ 
+-	file = kmalloc(sizeof(*file), GFP_NOIO);
+	file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	if (!file)
+ 		return -ENOMEM;
+ 
+ 	err = 0;
+ 	spin_lock(&mddev->lock);
+-	/* bitmap disabled, zero the first byte and copy out */
+-	if (!mddev->bitmap_info.file)
+-		file->pathname[0] = '\0';
+-	else if ((ptr = d_path(&mddev->bitmap_info.file->f_path,
+-			       file->pathname, sizeof(file->pathname))),
+-		 IS_ERR(ptr))
+-		err = PTR_ERR(ptr);
+-	else
+-		memmove(file->pathname, ptr,
+-			sizeof(file->pathname)-(ptr-file->pathname));
+	/* bitmap enabled */
+	if (mddev->bitmap_info.file) {
+		ptr = d_path(&mddev->bitmap_info.file->f_path,
+				file->pathname, sizeof(file->pathname));
+		if (IS_ERR(ptr))
+			err = PTR_ERR(ptr);
+		else
+			memmove(file->pathname, ptr,
+					sizeof(file->pathname)-(ptr-file->pathname));
+	}
+ 	spin_unlock(&mddev->lock);
+ 
+ 	if (err == 0 &&
+-- 
+2.4.3
+