[PATCH 3.13.y-ckt 01/60] md: use kzalloc() when bitmap is disabled

[Kamal Mostafa]

3.13.11-ckt26 -stable review patch.  If anyone has any objections, please let 
me know.

--

From: Benjamin Randazzo 

commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.

In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
mdu_bitmap_file_t called "file".

5769 file = kmalloc(sizeof(*file), GFP_NOIO);
5770 if (!file)
5771 return -ENOMEM;

This structure is copied to user space at the end of the function.

5786 if (err == 0 &&
5787 copy_to_user(arg, file, sizeof(*file)))
5788 err = -EFAULT

But if bitmap is disabled only the first byte of "file" is initialized
with zero, so it's possible to read some bytes (up to 4095) of kernel
space memory from user space. This is an information leak.

5775 /* bitmap disabled, zero the first byte and copy out */
5776 if (!mddev->bitmap_info.file)
5777 file->pathname[0] = '\0';

Signed-off-by: Benjamin Randazzo 
Signed-off-by: NeilBrown 
Reference: CVE-2015-5697
Signed-off-by: Kamal Mostafa 
---
 drivers/md/md.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 2ee29a7..8cccbdf 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5633,7 +5633,7 @@ static int get_bitmap_file(struct mddev * mddev, void 
__user * arg)
char *ptr, *buf = NULL;
int err = -ENOMEM;
 
-   file = kmalloc(sizeof(*file), GFP_NOIO);
+   file = kzalloc(sizeof(*file), GFP_NOIO);
 
if (!file)
goto out;
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH 3.13.y-ckt 01/60] md: use kzalloc() when bitmap is disabled

[Kamal Mostafa]

3.13.11-ckt26 -stable review patch.  If anyone has any objections, please let 
me know.

--

From: Benjamin Randazzo 

commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.

In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
mdu_bitmap_file_t called "file".

5769 file = kmalloc(sizeof(*file), GFP_NOIO);
5770 if (!file)
5771 return -ENOMEM;

This structure is copied to user space at the end of the function.

5786 if (err == 0 &&
5787 copy_to_user(arg, file, sizeof(*file)))
5788 err = -EFAULT

But if bitmap is disabled only the first byte of "file" is initialized
with zero, so it's possible to read some bytes (up to 4095) of kernel
space memory from user space. This is an information leak.

5775 /* bitmap disabled, zero the first byte and copy out */
5776 if (!mddev->bitmap_info.file)
5777 file->pathname[0] = '\0';

Signed-off-by: Benjamin Randazzo 
Signed-off-by: NeilBrown 
Reference: CVE-2015-5697
Signed-off-by: Kamal Mostafa 
---
 drivers/md/md.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 2ee29a7..8cccbdf 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5633,7 +5633,7 @@ static int get_bitmap_file(struct mddev * mddev, void 
__user * arg)
char *ptr, *buf = NULL;
int err = -ENOMEM;
 
-   file = kmalloc(sizeof(*file), GFP_NOIO);
+   file = kzalloc(sizeof(*file), GFP_NOIO);
 
if (!file)
goto out;
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/