[thirdparty/kernel/stable-queue.git] / releases / 3.10.87 / md-use-kzalloc-when-bitmap-is-disabled.patch

From b6878d9e03043695dbf3fa1caa6dfc09db225b16 Mon Sep 17 00:00:00 2001
From: Benjamin Randazzo <benjamin@randazzo.fr>
Date: Sat, 25 Jul 2015 16:36:50 +0200
Subject: md: use kzalloc() when bitmap is disabled

From: Benjamin Randazzo <benjamin@randazzo.fr>

commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.

In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
mdu_bitmap_file_t called "file".

5769         file = kmalloc(sizeof(*file), GFP_NOIO);
5770         if (!file)
5771                 return -ENOMEM;

This structure is copied to user space at the end of the function.

5786         if (err == 0 &&
5787             copy_to_user(arg, file, sizeof(*file)))
5788                 err = -EFAULT

But if bitmap is disabled only the first byte of "file" is initialized
with zero, so it's possible to read some bytes (up to 4095) of kernel
space memory from user space. This is an information leak.

5775         /* bitmap disabled, zero the first byte and copy out */
5776         if (!mddev->bitmap_info.file)
5777                 file->pathname[0] = '\0';

Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/md.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5628,9 +5628,9 @@ static int get_bitmap_file(struct mddev
 	int err = -ENOMEM;
 
 	if (md_allow_write(mddev))
-		file = kmalloc(sizeof(*file), GFP_NOIO);
+		file = kzalloc(sizeof(*file), GFP_NOIO);
 	else
-		file = kmalloc(sizeof(*file), GFP_KERNEL);
+		file = kzalloc(sizeof(*file), GFP_KERNEL);
 
 	if (!file)
 		goto out;
Commit	Line	Data
1f8f7215 GKH	1	From b6878d9e03043695dbf3fa1caa6dfc09db225b16 Mon Sep 17 00:00:00 2001
	2	From: Benjamin Randazzo <benjamin@randazzo.fr>
	3	Date: Sat, 25 Jul 2015 16:36:50 +0200
	4	Subject: md: use kzalloc() when bitmap is disabled
	5
	6	From: Benjamin Randazzo <benjamin@randazzo.fr>
	7
	8	commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
	9
	10	In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
	11	mdu_bitmap_file_t called "file".
	12
	13	5769 file = kmalloc(sizeof(*file), GFP_NOIO);
	14	5770 if (!file)
	15	5771 return -ENOMEM;
	16
	17	This structure is copied to user space at the end of the function.
	18
	19	5786 if (err == 0 &&
	20	5787 copy_to_user(arg, file, sizeof(*file)))
	21	5788 err = -EFAULT
	22
	23	But if bitmap is disabled only the first byte of "file" is initialized
	24	with zero, so it's possible to read some bytes (up to 4095) of kernel
	25	space memory from user space. This is an information leak.
	26
	27	5775 /* bitmap disabled, zero the first byte and copy out */
	28	5776 if (!mddev->bitmap_info.file)
	29	5777 file->pathname[0] = '\0';
	30
	31	Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
	32	Signed-off-by: NeilBrown <neilb@suse.com>
	33	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	34
	35	---
	36	drivers/md/md.c \| 4 ++--
	37	1 file changed, 2 insertions(+), 2 deletions(-)
	38
	39	--- a/drivers/md/md.c
	40	+++ b/drivers/md/md.c
	41	@@ -5628,9 +5628,9 @@ static int get_bitmap_file(struct mddev
	42	int err = -ENOMEM;
	43
	44	if (md_allow_write(mddev))
	45	- file = kmalloc(sizeof(*file), GFP_NOIO);
	46	+ file = kzalloc(sizeof(*file), GFP_NOIO);
	47	else
	48	- file = kmalloc(sizeof(*file), GFP_KERNEL);
	49	+ file = kzalloc(sizeof(*file), GFP_KERNEL);
	50
	51	if (!file)
	52	goto out;