From 14f970ed68973debdeaae73a8e2bffb5d7da572e Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 30 Dec 2015 10:05:08 +0100 Subject: md driver: CVE-2015-5697 Fixes information leak in md driver of the Linux kernel. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697 Upstream fix 4.1 kernel: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=33afeac21b9cb79ad8fc5caf239af89c79e25e1e Upstream fix for 3.19 kernel (from stable kernel.3.18): https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=e46e18eb387767fa26356417210ef41d0855ef1e Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../linux-hierofalcon-3.19/md-CVE-2015-5697.patch | 59 ++++++++++++++++++++++ .../linux-hierofalcon-4.1/md-CVE-2015-5697.patch | 55 ++++++++++++++++++++ recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 + recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 + 4 files changed, 116 insertions(+) create mode 100644 recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch create mode 100644 recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e1725ea --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch @@ -0,0 +1,59 @@ +From e46e18eb387767fa26356417210ef41d0855ef1e Mon Sep 17 00:00:00 2001 +From: Benjamin Randazzo +Date: Sat, 25 Jul 2015 16:36:50 +0200 +Subject: md: use kzalloc() when bitmap is disabled + +[ Upstream commit 33afeac21b9cb79ad8fc5caf239af89c79e25e1e ] + +commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. + +In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a +mdu_bitmap_file_t called "file". + +5769 file = kmalloc(sizeof(*file), GFP_NOIO); +5770 if (!file) +5771 return -ENOMEM; + +This structure is copied to user space at the end of the function. + +5786 if (err == 0 && +5787 copy_to_user(arg, file, sizeof(*file))) +5788 err = -EFAULT + +But if bitmap is disabled only the first byte of "file" is initialized +with zero, so it's possible to read some bytes (up to 4095) of kernel +space memory from user space. This is an information leak. + +5775 /* bitmap disabled, zero the first byte and copy out */ +5776 if (!mddev->bitmap_info.file) +5777 file->pathname[0] = '\0'; + +Fixes CVE-2015-5697. +Upstream-Status: Backport + +Signed-off-by: Benjamin Randazzo +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Sona Sarmadi +--- + drivers/md/md.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 4339035..dd7a370 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5432,8 +5432,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) + char *ptr, *buf = NULL; + int err = -ENOMEM; + +- file = kmalloc(sizeof(*file), GFP_NOIO); +- ++ file = kzalloc(sizeof(*file), GFP_NOIO); + if (!file) + goto out; + +-- +cgit v0.11.2 + diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e6b5d2e --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch @@ -0,0 +1,55 @@ +From 33afeac21b9cb79ad8fc5caf239af89c79e25e1e Mon Sep 17 00:00:00 2001 +From: Benjamin Randazzo +Date: Sat, 25 Jul 2015 16:36:50 +0200 +Subject: md: use kzalloc() when bitmap is disabled + +commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. + +In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a +mdu_bitmap_file_t called "file". + +5769 file = kmalloc(sizeof(*file), GFP_NOIO); +5770 if (!file) +5771 return -ENOMEM; + +This structure is copied to user space at the end of the function. + +5786 if (err == 0 && +5787 copy_to_user(arg, file, sizeof(*file))) +5788 err = -EFAULT + +But if bitmap is disabled only the first byte of "file" is initialized +with zero, so it's possible to read some bytes (up to 4095) of kernel +space memory from user space. This is an information leak. + +5775 /* bitmap disabled, zero the first byte and copy out */ +5776 if (!mddev->bitmap_info.file) +5777 file->pathname[0] = '\0'; + +Fixes CVE-2015-5697. +Upstream-Status: Backport + +Signed-off-by: Benjamin Randazzo +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + drivers/md/md.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index b920028..e462151 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5740,7 +5740,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) + char *ptr; + int err; + +- file = kmalloc(sizeof(*file), GFP_NOIO); ++ file = kzalloc(sizeof(*file), GFP_NOIO); + if (!file) + return -ENOMEM; + +-- +cgit v0.11.2 + diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 5e11c05..bc0dff0 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb @@ -23,6 +23,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 file://mnt-CVE-2015-4177.patch \ file://fs_pin-CVE-2015-4178.patch \ file://fs-CVE-2015-5706.patch \ + file://md-CVE-2015-5697.patch \ " S = "${WORKDIR}/git" diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index f927122..c4e87a1 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb @@ -24,6 +24,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 file://keys-CVE-2015-1333.patch \ file://RDS-CVE-2015-6937.patch \ file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ + file://md-CVE-2015-5697.patch \ " S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf