diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-30 10:05:08 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-12-30 13:00:40 +0100 |
commit | 14f970ed68973debdeaae73a8e2bffb5d7da572e (patch) | |
tree | d2b44624569fcc291331382ac56333d809657098 /recipes-kernel/linux/linux-hierofalcon-4.1 | |
parent | 46cbdbcd69c5da4801506a1bb472d683b1163ea9 (diff) | |
download | meta-hierofalcon-14f970ed68973debdeaae73a8e2bffb5d7da572e.tar.gz |
md driver: CVE-2015-5697
Fixes information leak in md driver of the Linux kernel.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697
Upstream fix 4.1 kernel:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=33afeac21b9cb79ad8fc5caf239af89c79e25e1e
Upstream fix for 3.19 kernel (from stable kernel.3.18):
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=e46e18eb387767fa26356417210ef41d0855ef1e
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel/linux/linux-hierofalcon-4.1')
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e6b5d2e --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 33afeac21b9cb79ad8fc5caf239af89c79e25e1e Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Randazzo <benjamin@randazzo.fr> | ||
3 | Date: Sat, 25 Jul 2015 16:36:50 +0200 | ||
4 | Subject: md: use kzalloc() when bitmap is disabled | ||
5 | |||
6 | commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. | ||
7 | |||
8 | In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a | ||
9 | mdu_bitmap_file_t called "file". | ||
10 | |||
11 | 5769 file = kmalloc(sizeof(*file), GFP_NOIO); | ||
12 | 5770 if (!file) | ||
13 | 5771 return -ENOMEM; | ||
14 | |||
15 | This structure is copied to user space at the end of the function. | ||
16 | |||
17 | 5786 if (err == 0 && | ||
18 | 5787 copy_to_user(arg, file, sizeof(*file))) | ||
19 | 5788 err = -EFAULT | ||
20 | |||
21 | But if bitmap is disabled only the first byte of "file" is initialized | ||
22 | with zero, so it's possible to read some bytes (up to 4095) of kernel | ||
23 | space memory from user space. This is an information leak. | ||
24 | |||
25 | 5775 /* bitmap disabled, zero the first byte and copy out */ | ||
26 | 5776 if (!mddev->bitmap_info.file) | ||
27 | 5777 file->pathname[0] = '\0'; | ||
28 | |||
29 | Fixes CVE-2015-5697. | ||
30 | Upstream-Status: Backport | ||
31 | |||
32 | Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> | ||
33 | Signed-off-by: NeilBrown <neilb@suse.com> | ||
34 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
35 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
36 | --- | ||
37 | drivers/md/md.c | 2 +- | ||
38 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
39 | |||
40 | diff --git a/drivers/md/md.c b/drivers/md/md.c | ||
41 | index b920028..e462151 100644 | ||
42 | --- a/drivers/md/md.c | ||
43 | +++ b/drivers/md/md.c | ||
44 | @@ -5740,7 +5740,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) | ||
45 | char *ptr; | ||
46 | int err; | ||
47 | |||
48 | - file = kmalloc(sizeof(*file), GFP_NOIO); | ||
49 | + file = kzalloc(sizeof(*file), GFP_NOIO); | ||
50 | if (!file) | ||
51 | return -ENOMEM; | ||
52 | |||
53 | -- | ||
54 | cgit v0.11.2 | ||
55 | |||