From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 11 Aug 2015 22:34:30 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.10.87~41
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f8f721563af195b70a382c9a35a04dd3b486d04;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	md-use-kzalloc-when-bitmap-is-disabled.patch
---

diff --git a/queue-3.10/md-use-kzalloc-when-bitmap-is-disabled.patch b/queue-3.10/md-use-kzalloc-when-bitmap-is-disabled.patch
new file mode 100644
index 00000000000..172323c51c7
--- /dev/null
+++ b/queue-3.10/md-use-kzalloc-when-bitmap-is-disabled.patch
@@ -0,0 +1,52 @@
+From b6878d9e03043695dbf3fa1caa6dfc09db225b16 Mon Sep 17 00:00:00 2001
+From: Benjamin Randazzo <benjamin@randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+
+From: Benjamin Randazzo <benjamin@randazzo.fr>
+
+commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769         file = kmalloc(sizeof(*file), GFP_NOIO);
+5770         if (!file)
+5771                 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786         if (err == 0 &&
+5787             copy_to_user(arg, file, sizeof(*file)))
+5788                 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775         /* bitmap disabled, zero the first byte and copy out */
+5776         if (!mddev->bitmap_info.file)
+5777                 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/md.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5628,9 +5628,9 @@ static int get_bitmap_file(struct mddev
+ 	int err = -ENOMEM;
+ 
+ 	if (md_allow_write(mddev))
+-		file = kmalloc(sizeof(*file), GFP_NOIO);
++		file = kzalloc(sizeof(*file), GFP_NOIO);
+ 	else
+-		file = kmalloc(sizeof(*file), GFP_KERNEL);
++		file = kzalloc(sizeof(*file), GFP_KERNEL);
+ 
+ 	if (!file)
+ 		goto out;
diff --git a/queue-3.10/series b/queue-3.10/series
index 455c714677a..d8349c71350 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -8,3 +8,4 @@ ipr-fix-incorrect-trace-indexing.patch
 ipr-fix-invalid-array-indexing-for-hrrq.patch
 xhci-fix-off-by-one-error-in-trb-dma-address-boundary-check.patch
 usb-sierra-add-1199-68ab-device-id.patch
+md-use-kzalloc-when-bitmap-is-disabled.patch