--- /dev/null
+From b6878d9e03043695dbf3fa1caa6dfc09db225b16 Mon Sep 17 00:00:00 2001
+From: Benjamin Randazzo <benjamin@randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+
+From: Benjamin Randazzo <benjamin@randazzo.fr>
+
+commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769 file = kmalloc(sizeof(*file), GFP_NOIO);
+5770 if (!file)
+5771 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786 if (err == 0 &&
+5787 copy_to_user(arg, file, sizeof(*file)))
+5788 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775 /* bitmap disabled, zero the first byte and copy out */
+5776 if (!mddev->bitmap_info.file)
+5777 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5628,9 +5628,9 @@ static int get_bitmap_file(struct mddev
+ int err = -ENOMEM;
+
+ if (md_allow_write(mddev))
+- file = kmalloc(sizeof(*file), GFP_NOIO);
++ file = kzalloc(sizeof(*file), GFP_NOIO);
+ else
+- file = kmalloc(sizeof(*file), GFP_KERNEL);
++ file = kzalloc(sizeof(*file), GFP_KERNEL);
+
+ if (!file)
+ goto out;
projects / thirdparty / kernel / stable-queue.git / commitdiff
