From c3a77ea556c7eaf497769d0c7142b127e667edfc Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 5 Aug 2015 10:35:17 -0400 Subject: [PATCH] Linux v4.2-rc5-42-g4e6b6ee253ce --- kernel.spec | 8 +-- md-use-kzalloc-when-bitmap-is-disabled.patch | 70 -------------------- sources | 2 +- 3 files changed, 5 insertions(+), 75 deletions(-) delete mode 100644 md-use-kzalloc-when-bitmap-is-disabled.patch diff --git a/kernel.spec b/kernel.spec index aa2249d20..e91ef9d14 100644 --- a/kernel.spec +++ b/kernel.spec @@ -67,7 +67,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 5 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -584,9 +584,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch -# CVE-2015-5697 (rhbz 1249011 1249013) -Patch506: md-use-kzalloc-when-bitmap-is-disabled.patch - #rhbz 1244511 Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch @@ -2027,6 +2024,9 @@ fi # # %changelog +* Wed Aug 05 2015 Josh Boyer - 4.2.0-0.rc5.git2.1 +- Linux v4.2-rc5-42-g4e6b6ee253ce + * Tue Aug 04 2015 Josh Boyer - Patch from Nicholas Kudriavtsev for Acer Switch 12 Fn keys (rhbz 1244511) diff --git a/md-use-kzalloc-when-bitmap-is-disabled.patch b/md-use-kzalloc-when-bitmap-is-disabled.patch deleted file mode 100644 index fded7a2db..000000000 --- a/md-use-kzalloc-when-bitmap-is-disabled.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4 Mon Sep 17 00:00:00 2001 -From: Benjamin Randazzo -Date: Sat, 25 Jul 2015 16:36:50 +0200 -Subject: md: use kzalloc() when bitmap is disabled - -In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a -mdu_bitmap_file_t called "file". - -5769 file = kmalloc(sizeof(*file), GFP_NOIO); -5770 if (!file) -5771 return -ENOMEM; - -This structure is copied to user space at the end of the function. - -5786 if (err == 0 && -5787 copy_to_user(arg, file, sizeof(*file))) -5788 err = -EFAULT - -But if bitmap is disabled only the first byte of "file" is initialized -with zero, so it's possible to read some bytes (up to 4095) of kernel -space memory from user space. This is an information leak. - -5775 /* bitmap disabled, zero the first byte and copy out */ -5776 if (!mddev->bitmap_info.file) -5777 file->pathname[0] = '\0'; - -Signed-off-by: Benjamin Randazzo -Signed-off-by: NeilBrown - -diff --git a/drivers/md/md.c b/drivers/md/md.c -index ce4cb8b..cdc080b 100644 ---- a/drivers/md/md.c -+++ b/drivers/md/md.c -@@ -5765,22 +5765,22 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) - char *ptr; - int err; - -- file = kmalloc(sizeof(*file), GFP_NOIO); -+ file = kzalloc(sizeof(*file), GFP_NOIO); - if (!file) - return -ENOMEM; - - err = 0; - spin_lock(&mddev->lock); -- /* bitmap disabled, zero the first byte and copy out */ -- if (!mddev->bitmap_info.file) -- file->pathname[0] = '\0'; -- else if ((ptr = file_path(mddev->bitmap_info.file, -- file->pathname, sizeof(file->pathname))), -- IS_ERR(ptr)) -- err = PTR_ERR(ptr); -- else -- memmove(file->pathname, ptr, -- sizeof(file->pathname)-(ptr-file->pathname)); -+ /* bitmap enabled */ -+ if (mddev->bitmap_info.file) { -+ ptr = file_path(mddev->bitmap_info.file, file->pathname, -+ sizeof(file->pathname)); -+ if (IS_ERR(ptr)) -+ err = PTR_ERR(ptr); -+ else -+ memmove(file->pathname, ptr, -+ sizeof(file->pathname)-(ptr-file->pathname)); -+ } - spin_unlock(&mddev->lock); - - if (err == 0 && --- -cgit v0.10.2 - diff --git a/sources b/sources index c80958ec9..a9147f0eb 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ fe9dc0f6729f36400ea81aa41d614c37 linux-4.1.tar.xz 84e34c2f58901edcc5c840fe9893c02e perf-man-4.1.tar.gz 6715134ec734556d5212594061680c0a patch-4.2-rc5.xz -eb1aba6d82ff8fc53f6acf8db8bc562a patch-4.2-rc5-git1.xz +dae0b9d51468240b1495f00ee7328762 patch-4.2-rc5-git2.xz