From: NeilBrown <neilb@suse.com>
To: Benjamin Randazzo <benjamin@randazzo.fr>
Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drivers/md/md.c: use kzalloc() when bitmap is disabled
Date: Mon, 27 Jul 2015 11:36:21 +1000 [thread overview]
Message-ID: <20150727113621.7eef4eec@noble> (raw)
In-Reply-To: <1437835010-11430-1-git-send-email-benjamin@randazzo.fr>
On Sat, 25 Jul 2015 16:36:50 +0200 Benjamin Randazzo
<benjamin@randazzo.fr> wrote:
> In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
> mdu_bitmap_file_t called "file".
>
> 5769 file = kmalloc(sizeof(*file), GFP_NOIO);
> 5770 if (!file)
> 5771 return -ENOMEM;
>
> This structure is copied to user space at the end of the function.
>
> 5786 if (err == 0 &&
> 5787 copy_to_user(arg, file, sizeof(*file)))
> 5788 err = -EFAULT
>
> But if bitmap is disabled only the first byte of "file" is initialized
> with zero, so it's possible to read some bytes (up to 4095) of kernel
> space memory from user space. This is an information leak.
>
> 5775 /* bitmap disabled, zero the first byte and copy out */
> 5776 if (!mddev->bitmap_info.file)
> 5777 file->pathname[0] = '\0';
>
> Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
> ---
> drivers/md/md.c | 21 ++++++++++-----------
> 1 file changed, 10 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 80879dc..382bdbc 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -5766,22 +5766,21 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
> char *ptr;
> int err;
>
> - file = kmalloc(sizeof(*file), GFP_NOIO);
> + file = kzalloc(sizeof(*file), GFP_NOIO);
> if (!file)
> return -ENOMEM;
>
> err = 0;
> spin_lock(&mddev->lock);
> - /* bitmap disabled, zero the first byte and copy out */
> - if (!mddev->bitmap_info.file)
> - file->pathname[0] = '\0';
> - else if ((ptr = file_path(mddev->bitmap_info.file,
> - file->pathname, sizeof(file->pathname))),
> - IS_ERR(ptr))
> - err = PTR_ERR(ptr);
> - else
> - memmove(file->pathname, ptr,
> - sizeof(file->pathname)-(ptr-file->pathname));
> + /* bitmap enabled */
> + if (mddev->bitmap_info.file) {
> + if ((ptr = file_path(mddev->bitmap_info.file, file->pathname,
> + sizeof(file->pathname))), IS_ERR(ptr))
> + err = PTR_ERR(ptr);
> + else
> + memmove(file->pathname, ptr,
> + sizeof(file->pathname)-(ptr-file->pathname));
> + }
> spin_unlock(&mddev->lock);
>
> if (err == 0 &&
Thanks.
I re-arranged the code a little bit more as there is no longer any
excuse for having the "ptr = file_path()" assignment inside the
condition of the 'if'.
Applied. Thanks,
NeilBrown
prev parent reply other threads:[~2015-07-27 1:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-25 14:36 [PATCH] drivers/md/md.c: use kzalloc() when bitmap is disabled Benjamin Randazzo
2015-07-27 1:36 ` NeilBrown [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150727113621.7eef4eec@noble \
--to=neilb@suse.com \
--cc=benjamin@randazzo.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.