summaryrefslogtreecommitdiffstats
path: root/recipes-kernel/linux
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-12-30 10:05:08 +0100
committerTudor Florea <tudor.florea@enea.com>2015-12-30 13:00:40 +0100
commit14f970ed68973debdeaae73a8e2bffb5d7da572e (patch)
treed2b44624569fcc291331382ac56333d809657098 /recipes-kernel/linux
parent46cbdbcd69c5da4801506a1bb472d683b1163ea9 (diff)
downloadmeta-hierofalcon-14f970ed68973debdeaae73a8e2bffb5d7da572e.tar.gz
md driver: CVE-2015-5697
Fixes information leak in md driver of the Linux kernel. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697 Upstream fix 4.1 kernel: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=33afeac21b9cb79ad8fc5caf239af89c79e25e1e Upstream fix for 3.19 kernel (from stable kernel.3.18): https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=e46e18eb387767fa26356417210ef41d0855ef1e Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel/linux')
-rw-r--r--recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch59
-rw-r--r--recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch55
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_3.19.bb1
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_4.1.bb1
4 files changed, 116 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch
new file mode 100644
index 0000000..e1725ea
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch
@@ -0,0 +1,59 @@
1From e46e18eb387767fa26356417210ef41d0855ef1e Mon Sep 17 00:00:00 2001
2From: Benjamin Randazzo <benjamin@randazzo.fr>
3Date: Sat, 25 Jul 2015 16:36:50 +0200
4Subject: md: use kzalloc() when bitmap is disabled
5
6[ Upstream commit 33afeac21b9cb79ad8fc5caf239af89c79e25e1e ]
7
8commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
9
10In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
11mdu_bitmap_file_t called "file".
12
135769 file = kmalloc(sizeof(*file), GFP_NOIO);
145770 if (!file)
155771 return -ENOMEM;
16
17This structure is copied to user space at the end of the function.
18
195786 if (err == 0 &&
205787 copy_to_user(arg, file, sizeof(*file)))
215788 err = -EFAULT
22
23But if bitmap is disabled only the first byte of "file" is initialized
24with zero, so it's possible to read some bytes (up to 4095) of kernel
25space memory from user space. This is an information leak.
26
275775 /* bitmap disabled, zero the first byte and copy out */
285776 if (!mddev->bitmap_info.file)
295777 file->pathname[0] = '\0';
30
31Fixes CVE-2015-5697.
32Upstream-Status: Backport
33
34Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
35Signed-off-by: NeilBrown <neilb@suse.com>
36Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
37Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
38Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
39---
40 drivers/md/md.c | 3 +--
41 1 file changed, 1 insertion(+), 2 deletions(-)
42
43diff --git a/drivers/md/md.c b/drivers/md/md.c
44index 4339035..dd7a370 100644
45--- a/drivers/md/md.c
46+++ b/drivers/md/md.c
47@@ -5432,8 +5432,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
48 char *ptr, *buf = NULL;
49 int err = -ENOMEM;
50
51- file = kmalloc(sizeof(*file), GFP_NOIO);
52-
53+ file = kzalloc(sizeof(*file), GFP_NOIO);
54 if (!file)
55 goto out;
56
57--
58cgit v0.11.2
59
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch
new file mode 100644
index 0000000..e6b5d2e
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch
@@ -0,0 +1,55 @@
1From 33afeac21b9cb79ad8fc5caf239af89c79e25e1e Mon Sep 17 00:00:00 2001
2From: Benjamin Randazzo <benjamin@randazzo.fr>
3Date: Sat, 25 Jul 2015 16:36:50 +0200
4Subject: md: use kzalloc() when bitmap is disabled
5
6commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
7
8In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
9mdu_bitmap_file_t called "file".
10
115769 file = kmalloc(sizeof(*file), GFP_NOIO);
125770 if (!file)
135771 return -ENOMEM;
14
15This structure is copied to user space at the end of the function.
16
175786 if (err == 0 &&
185787 copy_to_user(arg, file, sizeof(*file)))
195788 err = -EFAULT
20
21But if bitmap is disabled only the first byte of "file" is initialized
22with zero, so it's possible to read some bytes (up to 4095) of kernel
23space memory from user space. This is an information leak.
24
255775 /* bitmap disabled, zero the first byte and copy out */
265776 if (!mddev->bitmap_info.file)
275777 file->pathname[0] = '\0';
28
29Fixes CVE-2015-5697.
30Upstream-Status: Backport
31
32Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
33Signed-off-by: NeilBrown <neilb@suse.com>
34Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
35Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
36---
37 drivers/md/md.c | 2 +-
38 1 file changed, 1 insertion(+), 1 deletion(-)
39
40diff --git a/drivers/md/md.c b/drivers/md/md.c
41index b920028..e462151 100644
42--- a/drivers/md/md.c
43+++ b/drivers/md/md.c
44@@ -5740,7 +5740,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
45 char *ptr;
46 int err;
47
48- file = kmalloc(sizeof(*file), GFP_NOIO);
49+ file = kzalloc(sizeof(*file), GFP_NOIO);
50 if (!file)
51 return -ENOMEM;
52
53--
54cgit v0.11.2
55
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 5e11c05..bc0dff0 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -23,6 +23,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
23 file://mnt-CVE-2015-4177.patch \ 23 file://mnt-CVE-2015-4177.patch \
24 file://fs_pin-CVE-2015-4178.patch \ 24 file://fs_pin-CVE-2015-4178.patch \
25 file://fs-CVE-2015-5706.patch \ 25 file://fs-CVE-2015-5706.patch \
26 file://md-CVE-2015-5697.patch \
26 " 27 "
27 28
28S = "${WORKDIR}/git" 29S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index f927122..c4e87a1 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
24 file://keys-CVE-2015-1333.patch \ 24 file://keys-CVE-2015-1333.patch \
25 file://RDS-CVE-2015-6937.patch \ 25 file://RDS-CVE-2015-6937.patch \
26 file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ 26 file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \
27 file://md-CVE-2015-5697.patch \
27 " 28 "
28 29
29S = "${WORKDIR}/git" 30S = "${WORKDIR}/git"