diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-29 10:00:20 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-12-29 23:36:07 +0100 |
commit | cc381727c4a4c38cc0697c8f96b6e36e670c2cb7 (patch) | |
tree | 58ba8bf565a001e48f8e3e1f7ced930583ab5013 | |
parent | fe643677a69c0d3d284be6d08bf200817468ecec (diff) | |
download | meta-enea-cc381727c4a4c38cc0697c8f96b6e36e670c2cb7.tar.gz |
md-driver: CVE-2015-5697
Fixes an information leak in md driver.
References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5697
http://www.openwall.com/lists/oss-security/2015/07/28/2
Upstream patch:
===============
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=adbbaa36dd55ff0bde07391d898779760b5206df
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/md-CVE-2015-5697.patch | 55 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/md-CVE-2015-5697.patch b/recipes-kernel/linux/files/md-CVE-2015-5697.patch new file mode 100644 index 0000000..0353660 --- /dev/null +++ b/recipes-kernel/linux/files/md-CVE-2015-5697.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From adbbaa36dd55ff0bde07391d898779760b5206df Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Randazzo <benjamin@randazzo.fr> | ||
3 | Subject: md: use kzalloc() when bitmap is disabled | ||
4 | |||
5 | commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. | ||
6 | |||
7 | In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a | ||
8 | mdu_bitmap_file_t called "file". | ||
9 | |||
10 | 5769 file = kmalloc(sizeof(*file), GFP_NOIO); | ||
11 | 5770 if (!file) | ||
12 | 5771 return -ENOMEM; | ||
13 | |||
14 | This structure is copied to user space at the end of the function. | ||
15 | |||
16 | 5786 if (err == 0 && | ||
17 | 5787 copy_to_user(arg, file, sizeof(*file))) | ||
18 | 5788 err = -EFAULT | ||
19 | |||
20 | But if bitmap is disabled only the first byte of "file" is initialized | ||
21 | with zero, so it's possible to read some bytes (up to 4095) of kernel | ||
22 | space memory from user space. This is an information leak. | ||
23 | |||
24 | 5775 /* bitmap disabled, zero the first byte and copy out */ | ||
25 | 5776 if (!mddev->bitmap_info.file) | ||
26 | 5777 file->pathname[0] = '\0'; | ||
27 | |||
28 | Fixes CVE-2015-5707. | ||
29 | Upstream-Status: Backport | ||
30 | |||
31 | Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> | ||
32 | Signed-off-by: NeilBrown <neilb@suse.com> | ||
33 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
34 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
35 | --- | ||
36 | drivers/md/md.c | 3 +-- | ||
37 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
38 | |||
39 | diff --git a/drivers/md/md.c b/drivers/md/md.c | ||
40 | index b4067b9..2ffd277 100644 | ||
41 | --- a/drivers/md/md.c | ||
42 | +++ b/drivers/md/md.c | ||
43 | @@ -5645,8 +5645,7 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) | ||
44 | char *ptr, *buf = NULL; | ||
45 | int err = -ENOMEM; | ||
46 | |||
47 | - file = kmalloc(sizeof(*file), GFP_NOIO); | ||
48 | - | ||
49 | + file = kzalloc(sizeof(*file), GFP_NOIO); | ||
50 | if (!file) | ||
51 | goto out; | ||
52 | |||
53 | -- | ||
54 | cgit v0.11.2 | ||
55 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 2baf78e..90bb462 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -9,4 +9,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d | |||
9 | file://fs-CVE-2015-3339.patch \ | 9 | file://fs-CVE-2015-3339.patch \ |
10 | file://fs-CVE-2015-5706.patch \ | 10 | file://fs-CVE-2015-5706.patch \ |
11 | file://drivers-scsi-CVE-2015-5707.patch \ | 11 | file://drivers-scsi-CVE-2015-5707.patch \ |
12 | file://md-CVE-2015-5697.patch \ | ||
12 | " | 13 | " |