mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-22 21:31:15 -05:00
46 lines
1.5 KiB
Diff
46 lines
1.5 KiB
Diff
|
From b6878d9e03043695dbf3fa1caa6dfc09db225b16 Mon Sep 17 00:00:00 2001
|
||
|
From: Benjamin Randazzo <benjamin@randazzo.fr>
|
||
|
Date: Sat, 25 Jul 2015 16:36:50 +0200
|
||
|
Subject: [PATCH] md: use kzalloc() when bitmap is disabled
|
||
|
|
||
|
In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
|
||
|
mdu_bitmap_file_t called "file".
|
||
|
|
||
|
5769 file = kmalloc(sizeof(*file), GFP_NOIO);
|
||
|
5770 if (!file)
|
||
|
5771 return -ENOMEM;
|
||
|
|
||
|
This structure is copied to user space at the end of the function.
|
||
|
|
||
|
5786 if (err == 0 &&
|
||
|
5787 copy_to_user(arg, file, sizeof(*file)))
|
||
|
5788 err = -EFAULT
|
||
|
|
||
|
But if bitmap is disabled only the first byte of "file" is initialized
|
||
|
with zero, so it's possible to read some bytes (up to 4095) of kernel
|
||
|
space memory from user space. This is an information leak.
|
||
|
|
||
|
5775 /* bitmap disabled, zero the first byte and copy out */
|
||
|
5776 if (!mddev->bitmap_info.file)
|
||
|
5777 file->pathname[0] = '\0';
|
||
|
|
||
|
Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
|
||
|
Signed-off-by: NeilBrown <neilb@suse.com>
|
||
|
---
|
||
|
drivers/md/md.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/drivers/md/md.c b/drivers/md/md.c
|
||
|
index 0c2a4e8b873c6..e25f00f0138a7 100644
|
||
|
--- a/drivers/md/md.c
|
||
|
+++ b/drivers/md/md.c
|
||
|
@@ -5759,7 +5759,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
|
||
|
char *ptr;
|
||
|
int err;
|
||
|
|
||
|
- file = kmalloc(sizeof(*file), GFP_NOIO);
|
||
|
+ file = kzalloc(sizeof(*file), GFP_NOIO);
|
||
|
if (!file)
|
||
|
return -ENOMEM;
|
||
|
|