APPLIED: [Precise][CVE-2015-5697] md: use kzalloc() when bitmap is disabled
Kamal Mostafa
kamal at canonical.com
Thu Aug 13 16:34:30 UTC 2015
On Thu, 2015-08-13 at 08:33 -0700, Kamal Mostafa wrote:
> From: Benjamin Randazzo <benjamin at randazzo.fr>
>
> commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
>
> In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
> mdu_bitmap_file_t called "file".
>
> 5769 file = kmalloc(sizeof(*file), GFP_NOIO);
> 5770 if (!file)
> 5771 return -ENOMEM;
>
> This structure is copied to user space at the end of the function.
>
> 5786 if (err == 0 &&
> 5787 copy_to_user(arg, file, sizeof(*file)))
> 5788 err = -EFAULT
>
> But if bitmap is disabled only the first byte of "file" is initialized
> with zero, so it's possible to read some bytes (up to 4095) of kernel
> space memory from user space. This is an information leak.
>
> 5775 /* bitmap disabled, zero the first byte and copy out */
> 5776 if (!mddev->bitmap_info.file)
> 5777 file->pathname[0] = '\0';
>
> Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
> Signed-off-by: NeilBrown <neilb at suse.com>
> Reference: CVE-2015-5697
> [ kamal: backport to 3.2 (Ubuntu Precise): fixed both "file = kmalloc()" paths ]
> Signed-off-by: Kamal Mostafa <kamal at canonical.com>
> ---
> drivers/md/md.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index ea8a181..d7e9242 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -5384,9 +5384,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
> int err = -ENOMEM;
>
> if (md_allow_write(mddev))
> - file = kmalloc(sizeof(*file), GFP_NOIO);
> + file = kzalloc(sizeof(*file), GFP_NOIO);
> else
> - file = kmalloc(sizeof(*file), GFP_KERNEL);
> + file = kzalloc(sizeof(*file), GFP_KERNEL);
>
> if (!file)
> goto out;
> --
> 1.9.1
>
>
More information about the kernel-team
mailing list