diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-30 10:05:08 +0100 |
|---|---|---|
| committer | Tudor Florea <tudor.florea@enea.com> | 2015-12-30 13:00:40 +0100 |
| commit | 14f970ed68973debdeaae73a8e2bffb5d7da572e (patch) | |
| tree | d2b44624569fcc291331382ac56333d809657098 /recipes-kernel | |
| parent | 46cbdbcd69c5da4801506a1bb472d683b1163ea9 (diff) | |
| download | meta-hierofalcon-14f970ed68973debdeaae73a8e2bffb5d7da572e.tar.gz | |
md driver: CVE-2015-5697
Fixes information leak in md driver of the Linux kernel.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5697
Upstream fix 4.1 kernel:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=33afeac21b9cb79ad8fc5caf239af89c79e25e1e
Upstream fix for 3.19 kernel (from stable kernel.3.18):
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=e46e18eb387767fa26356417210ef41d0855ef1e
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel')
4 files changed, 116 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e1725ea --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/md-CVE-2015-5697.patch | |||
| @@ -0,0 +1,59 @@ | |||
| 1 | From e46e18eb387767fa26356417210ef41d0855ef1e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Benjamin Randazzo <benjamin@randazzo.fr> | ||
| 3 | Date: Sat, 25 Jul 2015 16:36:50 +0200 | ||
| 4 | Subject: md: use kzalloc() when bitmap is disabled | ||
| 5 | |||
| 6 | [ Upstream commit 33afeac21b9cb79ad8fc5caf239af89c79e25e1e ] | ||
| 7 | |||
| 8 | commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. | ||
| 9 | |||
| 10 | In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a | ||
| 11 | mdu_bitmap_file_t called "file". | ||
| 12 | |||
| 13 | 5769 file = kmalloc(sizeof(*file), GFP_NOIO); | ||
| 14 | 5770 if (!file) | ||
| 15 | 5771 return -ENOMEM; | ||
| 16 | |||
| 17 | This structure is copied to user space at the end of the function. | ||
| 18 | |||
| 19 | 5786 if (err == 0 && | ||
| 20 | 5787 copy_to_user(arg, file, sizeof(*file))) | ||
| 21 | 5788 err = -EFAULT | ||
| 22 | |||
| 23 | But if bitmap is disabled only the first byte of "file" is initialized | ||
| 24 | with zero, so it's possible to read some bytes (up to 4095) of kernel | ||
| 25 | space memory from user space. This is an information leak. | ||
| 26 | |||
| 27 | 5775 /* bitmap disabled, zero the first byte and copy out */ | ||
| 28 | 5776 if (!mddev->bitmap_info.file) | ||
| 29 | 5777 file->pathname[0] = '\0'; | ||
| 30 | |||
| 31 | Fixes CVE-2015-5697. | ||
| 32 | Upstream-Status: Backport | ||
| 33 | |||
| 34 | Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> | ||
| 35 | Signed-off-by: NeilBrown <neilb@suse.com> | ||
| 36 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 37 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
| 38 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 39 | --- | ||
| 40 | drivers/md/md.c | 3 +-- | ||
| 41 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
| 42 | |||
| 43 | diff --git a/drivers/md/md.c b/drivers/md/md.c | ||
| 44 | index 4339035..dd7a370 100644 | ||
| 45 | --- a/drivers/md/md.c | ||
| 46 | +++ b/drivers/md/md.c | ||
| 47 | @@ -5432,8 +5432,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) | ||
| 48 | char *ptr, *buf = NULL; | ||
| 49 | int err = -ENOMEM; | ||
| 50 | |||
| 51 | - file = kmalloc(sizeof(*file), GFP_NOIO); | ||
| 52 | - | ||
| 53 | + file = kzalloc(sizeof(*file), GFP_NOIO); | ||
| 54 | if (!file) | ||
| 55 | goto out; | ||
| 56 | |||
| 57 | -- | ||
| 58 | cgit v0.11.2 | ||
| 59 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch new file mode 100644 index 0000000..e6b5d2e --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/md-CVE-2015-5697.patch | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | From 33afeac21b9cb79ad8fc5caf239af89c79e25e1e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Benjamin Randazzo <benjamin@randazzo.fr> | ||
| 3 | Date: Sat, 25 Jul 2015 16:36:50 +0200 | ||
| 4 | Subject: md: use kzalloc() when bitmap is disabled | ||
| 5 | |||
| 6 | commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. | ||
| 7 | |||
| 8 | In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a | ||
| 9 | mdu_bitmap_file_t called "file". | ||
| 10 | |||
| 11 | 5769 file = kmalloc(sizeof(*file), GFP_NOIO); | ||
| 12 | 5770 if (!file) | ||
| 13 | 5771 return -ENOMEM; | ||
| 14 | |||
| 15 | This structure is copied to user space at the end of the function. | ||
| 16 | |||
| 17 | 5786 if (err == 0 && | ||
| 18 | 5787 copy_to_user(arg, file, sizeof(*file))) | ||
| 19 | 5788 err = -EFAULT | ||
| 20 | |||
| 21 | But if bitmap is disabled only the first byte of "file" is initialized | ||
| 22 | with zero, so it's possible to read some bytes (up to 4095) of kernel | ||
| 23 | space memory from user space. This is an information leak. | ||
| 24 | |||
| 25 | 5775 /* bitmap disabled, zero the first byte and copy out */ | ||
| 26 | 5776 if (!mddev->bitmap_info.file) | ||
| 27 | 5777 file->pathname[0] = '\0'; | ||
| 28 | |||
| 29 | Fixes CVE-2015-5697. | ||
| 30 | Upstream-Status: Backport | ||
| 31 | |||
| 32 | Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> | ||
| 33 | Signed-off-by: NeilBrown <neilb@suse.com> | ||
| 34 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 35 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 36 | --- | ||
| 37 | drivers/md/md.c | 2 +- | ||
| 38 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 39 | |||
| 40 | diff --git a/drivers/md/md.c b/drivers/md/md.c | ||
| 41 | index b920028..e462151 100644 | ||
| 42 | --- a/drivers/md/md.c | ||
| 43 | +++ b/drivers/md/md.c | ||
| 44 | @@ -5740,7 +5740,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg) | ||
| 45 | char *ptr; | ||
| 46 | int err; | ||
| 47 | |||
| 48 | - file = kmalloc(sizeof(*file), GFP_NOIO); | ||
| 49 | + file = kzalloc(sizeof(*file), GFP_NOIO); | ||
| 50 | if (!file) | ||
| 51 | return -ENOMEM; | ||
| 52 | |||
| 53 | -- | ||
| 54 | cgit v0.11.2 | ||
| 55 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 5e11c05..bc0dff0 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb | |||
| @@ -23,6 +23,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 | |||
| 23 | file://mnt-CVE-2015-4177.patch \ | 23 | file://mnt-CVE-2015-4177.patch \ |
| 24 | file://fs_pin-CVE-2015-4178.patch \ | 24 | file://fs_pin-CVE-2015-4178.patch \ |
| 25 | file://fs-CVE-2015-5706.patch \ | 25 | file://fs-CVE-2015-5706.patch \ |
| 26 | file://md-CVE-2015-5697.patch \ | ||
| 26 | " | 27 | " |
| 27 | 28 | ||
| 28 | S = "${WORKDIR}/git" | 29 | S = "${WORKDIR}/git" |
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index f927122..c4e87a1 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb | |||
| @@ -24,6 +24,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 | |||
| 24 | file://keys-CVE-2015-1333.patch \ | 24 | file://keys-CVE-2015-1333.patch \ |
| 25 | file://RDS-CVE-2015-6937.patch \ | 25 | file://RDS-CVE-2015-6937.patch \ |
| 26 | file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ | 26 | file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ |
| 27 | file://md-CVE-2015-5697.patch \ | ||
| 27 | " | 28 | " |
| 28 | 29 | ||
| 29 | S = "${WORKDIR}/git" | 30 | S = "${WORKDIR}/git" |