diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-30 10:05:08 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-12-30 13:00:40 +0100 |
commit | 14f970ed68973debdeaae73a8e2bffb5d7da572e (patch) | |
tree | d2b44624569fcc291331382ac56333d809657098 /recipes-kernel/linux/linux-hierofalcon-3.19 | |
parent | 46cbdbcd69c5da4801506a1bb472d683b1163ea9 (diff) | |
download | meta-hierofalcon-14f970ed68973debdeaae73a8e2bffb5d7da572e.tar.gz |
md driver: CVE-2015-5697
Fixes information leak in md driver of the Linux kernel.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697
Upstream fix 4.1 kernel:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=33afeac21b9cb79ad8fc5caf239af89c79e25e1e
Upstream fix for 3.19 kernel (from stable kernel.3.18):
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=e46e18eb387767fa26356417210ef41d0855ef1e
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel/linux/linux-hierofalcon-3.19')
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e1725ea --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From e46e18eb387767fa26356417210ef41d0855ef1e Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Randazzo <benjamin@randazzo.fr> | ||
3 | Date: Sat, 25 Jul 2015 16:36:50 +0200 | ||
4 | Subject: md: use kzalloc() when bitmap is disabled | ||
5 | |||
6 | [ Upstream commit 33afeac21b9cb79ad8fc5caf239af89c79e25e1e ] | ||
7 | |||
8 | commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. | ||
9 | |||
10 | In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a | ||
11 | mdu_bitmap_file_t called "file". | ||
12 | |||
13 | 5769 file = kmalloc(sizeof(*file), GFP_NOIO); | ||
14 | 5770 if (!file) | ||
15 | 5771 return -ENOMEM; | ||
16 | |||
17 | This structure is copied to user space at the end of the function. | ||
18 | |||
19 | 5786 if (err == 0 && | ||
20 | 5787 copy_to_user(arg, file, sizeof(*file))) | ||
21 | 5788 err = -EFAULT | ||
22 | |||
23 | But if bitmap is disabled only the first byte of "file" is initialized | ||
24 | with zero, so it's possible to read some bytes (up to 4095) of kernel | ||
25 | space memory from user space. This is an information leak. | ||
26 | |||
27 | 5775 /* bitmap disabled, zero the first byte and copy out */ | ||
28 | 5776 if (!mddev->bitmap_info.file) | ||
29 | 5777 file->pathname[0] = '\0'; | ||
30 | |||
31 | Fixes CVE-2015-5697. | ||
32 | Upstream-Status: Backport | ||
33 | |||
34 | Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> | ||
35 | Signed-off-by: NeilBrown <neilb@suse.com> | ||
36 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
37 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
38 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
39 | --- | ||
40 | drivers/md/md.c | 3 +-- | ||
41 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
42 | |||
43 | diff --git a/drivers/md/md.c b/drivers/md/md.c | ||
44 | index 4339035..dd7a370 100644 | ||
45 | --- a/drivers/md/md.c | ||
46 | +++ b/drivers/md/md.c | ||
47 | @@ -5432,8 +5432,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) | ||
48 | char *ptr, *buf = NULL; | ||
49 | int err = -ENOMEM; | ||
50 | |||
51 | - file = kmalloc(sizeof(*file), GFP_NOIO); | ||
52 | - | ||
53 | + file = kzalloc(sizeof(*file), GFP_NOIO); | ||
54 | if (!file) | ||
55 | goto out; | ||
56 | |||
57 | -- | ||
58 | cgit v0.11.2 | ||
59 | |||