diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-30 10:05:08 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-12-30 13:00:40 +0100 |
commit | 14f970ed68973debdeaae73a8e2bffb5d7da572e (patch) | |
tree | d2b44624569fcc291331382ac56333d809657098 /recipes-kernel/linux | |
parent | 46cbdbcd69c5da4801506a1bb472d683b1163ea9 (diff) | |
download | meta-hierofalcon-14f970ed68973debdeaae73a8e2bffb5d7da572e.tar.gz |
md driver: CVE-2015-5697
Fixes information leak in md driver of the Linux kernel.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697
Upstream fix 4.1 kernel:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=33afeac21b9cb79ad8fc5caf239af89c79e25e1e
Upstream fix for 3.19 kernel (from stable kernel.3.18):
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=e46e18eb387767fa26356417210ef41d0855ef1e
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel/linux')
4 files changed, 116 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e1725ea --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From e46e18eb387767fa26356417210ef41d0855ef1e Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Randazzo <benjamin@randazzo.fr> | ||
3 | Date: Sat, 25 Jul 2015 16:36:50 +0200 | ||
4 | Subject: md: use kzalloc() when bitmap is disabled | ||
5 | |||
6 | [ Upstream commit 33afeac21b9cb79ad8fc5caf239af89c79e25e1e ] | ||
7 | |||
8 | commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. | ||
9 | |||
10 | In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a | ||
11 | mdu_bitmap_file_t called "file". | ||
12 | |||
13 | 5769 file = kmalloc(sizeof(*file), GFP_NOIO); | ||
14 | 5770 if (!file) | ||
15 | 5771 return -ENOMEM; | ||
16 | |||
17 | This structure is copied to user space at the end of the function. | ||
18 | |||
19 | 5786 if (err == 0 && | ||
20 | 5787 copy_to_user(arg, file, sizeof(*file))) | ||
21 | 5788 err = -EFAULT | ||
22 | |||
23 | But if bitmap is disabled only the first byte of "file" is initialized | ||
24 | with zero, so it's possible to read some bytes (up to 4095) of kernel | ||
25 | space memory from user space. This is an information leak. | ||
26 | |||
27 | 5775 /* bitmap disabled, zero the first byte and copy out */ | ||
28 | 5776 if (!mddev->bitmap_info.file) | ||
29 | 5777 file->pathname[0] = '\0'; | ||
30 | |||
31 | Fixes CVE-2015-5697. | ||
32 | Upstream-Status: Backport | ||
33 | |||
34 | Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> | ||
35 | Signed-off-by: NeilBrown <neilb@suse.com> | ||
36 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
37 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
38 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
39 | --- | ||
40 | drivers/md/md.c | 3 +-- | ||
41 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
42 | |||
43 | diff --git a/drivers/md/md.c b/drivers/md/md.c | ||
44 | index 4339035..dd7a370 100644 | ||
45 | --- a/drivers/md/md.c | ||
46 | +++ b/drivers/md/md.c | ||
47 | @@ -5432,8 +5432,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) | ||
48 | char *ptr, *buf = NULL; | ||
49 | int err = -ENOMEM; | ||
50 | |||
51 | - file = kmalloc(sizeof(*file), GFP_NOIO); | ||
52 | - | ||
53 | + file = kzalloc(sizeof(*file), GFP_NOIO); | ||
54 | if (!file) | ||
55 | goto out; | ||
56 | |||
57 | -- | ||
58 | cgit v0.11.2 | ||
59 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e6b5d2e --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 33afeac21b9cb79ad8fc5caf239af89c79e25e1e Mon Sep 17 00:00:00 2001 | ||
2 | From: Benjamin Randazzo <benjamin@randazzo.fr> | ||
3 | Date: Sat, 25 Jul 2015 16:36:50 +0200 | ||
4 | Subject: md: use kzalloc() when bitmap is disabled | ||
5 | |||
6 | commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. | ||
7 | |||
8 | In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a | ||
9 | mdu_bitmap_file_t called "file". | ||
10 | |||
11 | 5769 file = kmalloc(sizeof(*file), GFP_NOIO); | ||
12 | 5770 if (!file) | ||
13 | 5771 return -ENOMEM; | ||
14 | |||
15 | This structure is copied to user space at the end of the function. | ||
16 | |||
17 | 5786 if (err == 0 && | ||
18 | 5787 copy_to_user(arg, file, sizeof(*file))) | ||
19 | 5788 err = -EFAULT | ||
20 | |||
21 | But if bitmap is disabled only the first byte of "file" is initialized | ||
22 | with zero, so it's possible to read some bytes (up to 4095) of kernel | ||
23 | space memory from user space. This is an information leak. | ||
24 | |||
25 | 5775 /* bitmap disabled, zero the first byte and copy out */ | ||
26 | 5776 if (!mddev->bitmap_info.file) | ||
27 | 5777 file->pathname[0] = '\0'; | ||
28 | |||
29 | Fixes CVE-2015-5697. | ||
30 | Upstream-Status: Backport | ||
31 | |||
32 | Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> | ||
33 | Signed-off-by: NeilBrown <neilb@suse.com> | ||
34 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
35 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
36 | --- | ||
37 | drivers/md/md.c | 2 +- | ||
38 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
39 | |||
40 | diff --git a/drivers/md/md.c b/drivers/md/md.c | ||
41 | index b920028..e462151 100644 | ||
42 | --- a/drivers/md/md.c | ||
43 | +++ b/drivers/md/md.c | ||
44 | @@ -5740,7 +5740,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) | ||
45 | char *ptr; | ||
46 | int err; | ||
47 | |||
48 | - file = kmalloc(sizeof(*file), GFP_NOIO); | ||
49 | + file = kzalloc(sizeof(*file), GFP_NOIO); | ||
50 | if (!file) | ||
51 | return -ENOMEM; | ||
52 | |||
53 | -- | ||
54 | cgit v0.11.2 | ||
55 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 5e11c05..bc0dff0 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb | |||
@@ -23,6 +23,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 | |||
23 | file://mnt-CVE-2015-4177.patch \ | 23 | file://mnt-CVE-2015-4177.patch \ |
24 | file://fs_pin-CVE-2015-4178.patch \ | 24 | file://fs_pin-CVE-2015-4178.patch \ |
25 | file://fs-CVE-2015-5706.patch \ | 25 | file://fs-CVE-2015-5706.patch \ |
26 | file://md-CVE-2015-5697.patch \ | ||
26 | " | 27 | " |
27 | 28 | ||
28 | S = "${WORKDIR}/git" | 29 | S = "${WORKDIR}/git" |
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index f927122..c4e87a1 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb | |||
@@ -24,6 +24,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 | |||
24 | file://keys-CVE-2015-1333.patch \ | 24 | file://keys-CVE-2015-1333.patch \ |
25 | file://RDS-CVE-2015-6937.patch \ | 25 | file://RDS-CVE-2015-6937.patch \ |
26 | file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ | 26 | file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ |
27 | file://md-CVE-2015-5697.patch \ | ||
27 | " | 28 | " |
28 | 29 | ||
29 | S = "${WORKDIR}/git" | 30 | S = "${WORKDIR}/git" |