md driver: CVE-2015-5697

Fixes information leak in md driver of the Linux kernel. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697 Upstream fix 4.1 kernel: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=33afeac21b9cb79ad8fc5caf239af89c79e25e1e Upstream fix for 3.19 kernel (from stable kernel.3.18): https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=e46e18eb387767fa26356417210ef41d0855ef1e Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-30 10:05:08 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-12-30 13:00:40 +0100
commit: 14f970ed68973debdeaae73a8e2bffb5d7da572e (patch)
tree: d2b44624569fcc291331382ac56333d809657098 /recipes-kernel/linux/linux-hierofalcon-3.19
parent: 46cbdbcd69c5da4801506a1bb472d683b1163ea9 (diff)
download: meta-hierofalcon-14f970ed68973debdeaae73a8e2bffb5d7da572e.tar.gz
1 files changed, 59 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch
new file mode 100644
index 0000000..e1725ea
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch
@@ -0,0 +1,59 @@
+From e46e18eb387767fa26356417210ef41d0855ef1e Mon Sep 17 00:00:00 2001
+From: Benjamin Randazzo <benjamin@randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+[ Upstream commit 33afeac21b9cb79ad8fc5caf239af89c79e25e1e ]
+commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+5769         file = kmalloc(sizeof(*file), GFP_NOIO);
+5770         if (!file)
+5771                 return -ENOMEM;
+This structure is copied to user space at the end of the function.
+5786         if (err == 0 &&
+5787             copy_to_user(arg, file, sizeof(*file)))
+5788                 err = -EFAULT
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+5775         /* bitmap disabled, zero the first byte and copy out */
+5776         if (!mddev->bitmap_info.file)
+5777                 file->pathname[0] = '\0';
+Fixes CVE-2015-5697.
+Upstream-Status: Backport
+Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/md/md.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 4339035..dd7a370 100644
+--- a/drivers/md/md.c
+++ b/drivers/md/md.c
+@@ -5432,8 +5432,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
+        char *ptr, *buf = NULL;
+        int err = -ENOMEM;
+ 
+-       file = kmalloc(sizeof(*file), GFP_NOIO);
+-
+       file = kzalloc(sizeof(*file), GFP_NOIO);
+        if (!file)
+                goto out;
+ 
+-- 
+cgit v0.11.2
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-30 10:05:08 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-12-30 13:00:40 +0100
commit	14f970ed68973debdeaae73a8e2bffb5d7da572e (patch)
tree	d2b44624569fcc291331382ac56333d809657098 /recipes-kernel/linux/linux-hierofalcon-3.19
parent	46cbdbcd69c5da4801506a1bb472d683b1163ea9 (diff)
download	meta-hierofalcon-14f970ed68973debdeaae73a8e2bffb5d7da572e.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e1725ea --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch
@@ -0,0 +1,59 @@
	1	From e46e18eb387767fa26356417210ef41d0855ef1e Mon Sep 17 00:00:00 2001
	2	From: Benjamin Randazzo <benjamin@randazzo.fr>
	3	Date: Sat, 25 Jul 2015 16:36:50 +0200
	4	Subject: md: use kzalloc() when bitmap is disabled
	5
	6	[ Upstream commit 33afeac21b9cb79ad8fc5caf239af89c79e25e1e ]
	7
	8	commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
	9
	10	In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
	11	mdu_bitmap_file_t called "file".
	12
	13	5769 file = kmalloc(sizeof(*file), GFP_NOIO);
	14	5770 if (!file)
	15	5771 return -ENOMEM;
	16
	17	This structure is copied to user space at the end of the function.
	18
	19	5786 if (err == 0 &&
	20	5787 copy_to_user(arg, file, sizeof(*file)))
	21	5788 err = -EFAULT
	22
	23	But if bitmap is disabled only the first byte of "file" is initialized
	24	with zero, so it's possible to read some bytes (up to 4095) of kernel
	25	space memory from user space. This is an information leak.
	26
	27	5775 /* bitmap disabled, zero the first byte and copy out */
	28	5776 if (!mddev->bitmap_info.file)
	29	5777 file->pathname[0] = '\0';
	30
	31	Fixes CVE-2015-5697.
	32	Upstream-Status: Backport
	33
	34	Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
	35	Signed-off-by: NeilBrown <neilb@suse.com>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	37	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
	38	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	39	---
	40	drivers/md/md.c \| 3 +--
	41	1 file changed, 1 insertion(+), 2 deletions(-)
	42
	43	diff --git a/drivers/md/md.c b/drivers/md/md.c
	44	index 4339035..dd7a370 100644
	45	--- a/drivers/md/md.c
	46	+++ b/drivers/md/md.c
	47	@@ -5432,8 +5432,7 @@ static int get_bitmap_file(struct mddev mddev, void __user arg)
	48	char ptr, buf = NULL;
	49	int err = -ENOMEM;
	50
	51	- file = kmalloc(sizeof(*file), GFP_NOIO);
	52	-
	53	+ file = kzalloc(sizeof(*file), GFP_NOIO);
	54	if (!file)
	55	goto out;
	56
	57	--
	58	cgit v0.11.2
	59