CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)
This commit is contained in:
parent
e7a2da13e8
commit
6075fa24e0
|
@ -636,6 +636,9 @@ Patch26260: x86-nmi-64-Improve-nested-NMI-comments.patch
|
|||
Patch26261: x86-nmi-64-Reorder-nested-NMI-checks.patch
|
||||
Patch26262: x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
|
||||
|
||||
# CVE-2015-5697 (rhbz 1249011 1249013)
|
||||
Patch26263: md-use-kzalloc-when-bitmap-is-disabled.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1390,6 +1393,9 @@ ApplyPatch x86-nmi-64-Improve-nested-NMI-comments.patch
|
|||
ApplyPatch x86-nmi-64-Reorder-nested-NMI-checks.patch
|
||||
ApplyPatch x86-nmi-64-Use-DF-to-avoid-userspace-RSP-confusing-n.patch
|
||||
|
||||
# CVE-2015-5697 (rhbz 1249011 1249013)
|
||||
ApplyPatch md-use-kzalloc-when-bitmap-is-disabled.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2242,6 +2248,7 @@ fi
|
|||
%changelog
|
||||
* Mon Aug 03 2015 Josh Boyer <jwboyer@fedoraproject.org> - 4.1.4-200
|
||||
- Linux v4.1.4
|
||||
- CVE-2015-5697 info leak in md driver (rhbz 1249011 1249013)
|
||||
|
||||
* Wed Jul 29 2015 Laura Abbott <labbott@redhat.com> - 4.1.3-201
|
||||
- tag and build for CVE fixes
|
||||
|
|
|
@ -0,0 +1,73 @@
|
|||
From 28af19ef1eaa703bbbeff1022194a7e29c4d7ec3 Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Randazzo <benjamin@randazzo.fr>
|
||||
Date: Sat, 25 Jul 2015 16:36:50 +0200
|
||||
Subject: [PATCH] md: use kzalloc() when bitmap is disabled
|
||||
|
||||
In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
|
||||
mdu_bitmap_file_t called "file".
|
||||
|
||||
5769 file = kmalloc(sizeof(*file), GFP_NOIO);
|
||||
5770 if (!file)
|
||||
5771 return -ENOMEM;
|
||||
|
||||
This structure is copied to user space at the end of the function.
|
||||
|
||||
5786 if (err == 0 &&
|
||||
5787 copy_to_user(arg, file, sizeof(*file)))
|
||||
5788 err = -EFAULT
|
||||
|
||||
But if bitmap is disabled only the first byte of "file" is initialized
|
||||
with zero, so it's possible to read some bytes (up to 4095) of kernel
|
||||
space memory from user space. This is an information leak.
|
||||
|
||||
5775 /* bitmap disabled, zero the first byte and copy out */
|
||||
5776 if (!mddev->bitmap_info.file)
|
||||
5777 file->pathname[0] = '\0';
|
||||
|
||||
Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
|
||||
Signed-off-by: NeilBrown <neilb@suse.com>
|
||||
---
|
||||
drivers/md/md.c | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/drivers/md/md.c b/drivers/md/md.c
|
||||
index b9200282fd77..90fa5fcb412f 100644
|
||||
--- a/drivers/md/md.c
|
||||
+++ b/drivers/md/md.c
|
||||
@@ -5740,22 +5740,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
|
||||
char *ptr;
|
||||
int err;
|
||||
|
||||
- file = kmalloc(sizeof(*file), GFP_NOIO);
|
||||
+ file = kzalloc(sizeof(*file), GFP_NOIO);
|
||||
if (!file)
|
||||
return -ENOMEM;
|
||||
|
||||
err = 0;
|
||||
spin_lock(&mddev->lock);
|
||||
- /* bitmap disabled, zero the first byte and copy out */
|
||||
- if (!mddev->bitmap_info.file)
|
||||
- file->pathname[0] = '\0';
|
||||
- else if ((ptr = d_path(&mddev->bitmap_info.file->f_path,
|
||||
- file->pathname, sizeof(file->pathname))),
|
||||
- IS_ERR(ptr))
|
||||
- err = PTR_ERR(ptr);
|
||||
- else
|
||||
- memmove(file->pathname, ptr,
|
||||
- sizeof(file->pathname)-(ptr-file->pathname));
|
||||
+ /* bitmap enabled */
|
||||
+ if (mddev->bitmap_info.file) {
|
||||
+ ptr = d_path(&mddev->bitmap_info.file->f_path,
|
||||
+ file->pathname, sizeof(file->pathname));
|
||||
+ if (IS_ERR(ptr))
|
||||
+ err = PTR_ERR(ptr);
|
||||
+ else
|
||||
+ memmove(file->pathname, ptr,
|
||||
+ sizeof(file->pathname)-(ptr-file->pathname));
|
||||
+ }
|
||||
spin_unlock(&mddev->lock);
|
||||
|
||||
if (err == 0 &&
|
||||
--
|
||||
2.4.3
|
||||
|
Loading…
Reference in New Issue