md-driver: CVE-2015-5697

Fixes an information leak in md driver.

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5697
http://www.openwall.com/lists/oss-security/2015/07/28/2

Upstream patch:
===============
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=adbbaa36dd55ff0bde07391d898779760b5206df

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>

2 files changed, 56 insertions, 0 deletions

diff --git a/recipes-kernel/linux/files/md-CVE-2015-5697.patch b/recipes-kernel/linux/files/md-CVE-2015-5697.patch
new file mode 100644
index 0000000..0353660
--- /dev/null
+++ b/recipes-kernel/linux/files/md-CVE-2015-5697.patch
@@ -0,0 +1,55 @@
+From adbbaa36dd55ff0bde07391d898779760b5206df Mon Sep 17 00:00:00 2001
+From: Benjamin Randazzo <benjamin@randazzo.fr>
+Subject: md: use kzalloc() when bitmap is disabled
+
+commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769         file = kmalloc(sizeof(*file), GFP_NOIO);
+5770         if (!file)
+5771                 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786         if (err == 0 &&
+5787             copy_to_user(arg, file, sizeof(*file)))
+5788                 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775         /* bitmap disabled, zero the first byte and copy out */
+5776         if (!mddev->bitmap_info.file)
+5777                 file->pathname[0] = '\0';
+
+Fixes CVE-2015-5707.
+Upstream-Status: Backport
+
+Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/md/md.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index b4067b9..2ffd277 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5645,8 +5645,7 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
+        char *ptr, *buf = NULL;
+        int err = -ENOMEM;
+ 
+-       file = kmalloc(sizeof(*file), GFP_NOIO);
+-
++       file = kzalloc(sizeof(*file), GFP_NOIO);
+        if (!file)
+                goto out;
+ 
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 2baf78e..90bb462 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -9,4 +9,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://fs-CVE-2015-3339.patch \
             file://fs-CVE-2015-5706.patch \
             file://drivers-scsi-CVE-2015-5707.patch \
+            file://md-CVE-2015-5697.patch \
            "