Message ID | 1439479985-6699-1-git-send-email-kamal@canonical.com |
---|---|
State | New |
Headers | show |
On Thu, Aug 13, 2015 at 08:33:05AM -0700, Kamal Mostafa wrote: > From: Benjamin Randazzo <benjamin@randazzo.fr> > > commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. > > In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a > mdu_bitmap_file_t called "file". > > 5769 file = kmalloc(sizeof(*file), GFP_NOIO); > 5770 if (!file) > 5771 return -ENOMEM; > > This structure is copied to user space at the end of the function. > > 5786 if (err == 0 && > 5787 copy_to_user(arg, file, sizeof(*file))) > 5788 err = -EFAULT > > But if bitmap is disabled only the first byte of "file" is initialized > with zero, so it's possible to read some bytes (up to 4095) of kernel > space memory from user space. This is an information leak. > > 5775 /* bitmap disabled, zero the first byte and copy out */ > 5776 if (!mddev->bitmap_info.file) > 5777 file->pathname[0] = '\0'; > > Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> > Signed-off-by: NeilBrown <neilb@suse.com> > Reference: CVE-2015-5697 > [ kamal: backport to 3.2 (Ubuntu Precise): fixed both "file = kmalloc()" paths ] > Signed-off-by: Kamal Mostafa <kamal@canonical.com> > --- > drivers/md/md.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/md/md.c b/drivers/md/md.c > index ea8a181..d7e9242 100644 > --- a/drivers/md/md.c > +++ b/drivers/md/md.c > @@ -5384,9 +5384,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) > int err = -ENOMEM; > > if (md_allow_write(mddev)) > - file = kmalloc(sizeof(*file), GFP_NOIO); > + file = kzalloc(sizeof(*file), GFP_NOIO); > else > - file = kmalloc(sizeof(*file), GFP_KERNEL); > + file = kzalloc(sizeof(*file), GFP_KERNEL); > > if (!file) > goto out; > -- > 1.9.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Thu, Aug 13, 2015 at 08:33:05AM -0700, Kamal Mostafa wrote: <snip> > > Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> > Signed-off-by: NeilBrown <neilb@suse.com> > Reference: CVE-2015-5697 > [ kamal: backport to 3.2 (Ubuntu Precise): fixed both "file = kmalloc()" paths ] Looks correct to me, fixing both paths guarantees there will be no leak into user-space in both scenarios. Acked-by: Luis Henriques <luis.henriques@canonical.com> Cheers, -- Luís > Signed-off-by: Kamal Mostafa <kamal@canonical.com> > --- > drivers/md/md.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/md/md.c b/drivers/md/md.c > index ea8a181..d7e9242 100644 > --- a/drivers/md/md.c > +++ b/drivers/md/md.c > @@ -5384,9 +5384,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) > int err = -ENOMEM; > > if (md_allow_write(mddev)) > - file = kmalloc(sizeof(*file), GFP_NOIO); > + file = kzalloc(sizeof(*file), GFP_NOIO); > else > - file = kmalloc(sizeof(*file), GFP_KERNEL); > + file = kzalloc(sizeof(*file), GFP_KERNEL); > > if (!file) > goto out; > -- > 1.9.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Thu, 2015-08-13 at 08:33 -0700, Kamal Mostafa wrote: > From: Benjamin Randazzo <benjamin@randazzo.fr> > > commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. > > In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a > mdu_bitmap_file_t called "file". > > 5769 file = kmalloc(sizeof(*file), GFP_NOIO); > 5770 if (!file) > 5771 return -ENOMEM; > > This structure is copied to user space at the end of the function. > > 5786 if (err == 0 && > 5787 copy_to_user(arg, file, sizeof(*file))) > 5788 err = -EFAULT > > But if bitmap is disabled only the first byte of "file" is initialized > with zero, so it's possible to read some bytes (up to 4095) of kernel > space memory from user space. This is an information leak. > > 5775 /* bitmap disabled, zero the first byte and copy out */ > 5776 if (!mddev->bitmap_info.file) > 5777 file->pathname[0] = '\0'; > > Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> > Signed-off-by: NeilBrown <neilb@suse.com> > Reference: CVE-2015-5697 > [ kamal: backport to 3.2 (Ubuntu Precise): fixed both "file = kmalloc()" paths ] > Signed-off-by: Kamal Mostafa <kamal@canonical.com> > --- > drivers/md/md.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/md/md.c b/drivers/md/md.c > index ea8a181..d7e9242 100644 > --- a/drivers/md/md.c > +++ b/drivers/md/md.c > @@ -5384,9 +5384,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) > int err = -ENOMEM; > > if (md_allow_write(mddev)) > - file = kmalloc(sizeof(*file), GFP_NOIO); > + file = kzalloc(sizeof(*file), GFP_NOIO); > else > - file = kmalloc(sizeof(*file), GFP_KERNEL); > + file = kzalloc(sizeof(*file), GFP_KERNEL); > > if (!file) > goto out; > -- > 1.9.1 > >
diff --git a/drivers/md/md.c b/drivers/md/md.c index ea8a181..d7e9242 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -5384,9 +5384,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg) int err = -ENOMEM; if (md_allow_write(mddev)) - file = kmalloc(sizeof(*file), GFP_NOIO); + file = kzalloc(sizeof(*file), GFP_NOIO); else - file = kmalloc(sizeof(*file), GFP_KERNEL); + file = kzalloc(sizeof(*file), GFP_KERNEL); if (!file) goto out;