From: Benjamin LaHaise <bcrl@kvack.org>
To: Jeff Moyer <jmoyer@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
security@kernel.org, linux-aio@kvack.org,
linux-kernel@vger.kernel.org, Mateusz Guzik <mguzik@redhat.com>,
Petr Matousek <pmatouse@redhat.com>,
Kent Overstreet <kmo@daterainc.com>,
stable@vger.kernel.org
Subject: Re: [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10
Date: Tue, 24 Jun 2014 14:39:18 -0400 [thread overview]
Message-ID: <20140624183918.GM23137@kvack.org> (raw)
In-Reply-To: <x4961jqb207.fsf@segfault.boston.devel.redhat.com>
On Tue, Jun 24, 2014 at 02:23:20PM -0400, Jeff Moyer wrote:
> Benjamin LaHaise <bcrl@kvack.org> writes:
>
> > A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
> > by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
> > aio_read_events_ring() failed to correctly limit the index into
> > ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
> > an arbitrary page with a copy_to_user() to copy the contents into userspace.
> > This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
> > Petr for disclosing this issue.
> >
> > This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.
>
> Note that a 3.10 backport will need to remove this line from free_ioctx
> as well:
> atomic_sub(avail, &ctx->reqs_active);
>
> Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Can you post the backport for 3.10 so the -stable folks have something they
can use that was tested? Cheers,
-ben
--
"Thought is the essence of where you are now."
next prev parent reply other threads:[~2014-06-24 18:39 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 18:01 [PATCH 0/2] aio: fixes for kernel memory disclosure in aio read events Benjamin LaHaise
2014-06-24 18:01 ` [PATCH 1/2] aio: fix aio request leak when events are reaped by userspace Benjamin LaHaise
2014-06-24 18:20 ` Jeff Moyer
2014-08-19 16:37 ` Revert "aio: fix aio request leak when events are reaped by user space" Dan Aloni
2014-08-19 16:54 ` Benjamin LaHaise
2014-08-19 17:14 ` Dan Aloni
2014-08-20 0:46 ` Benjamin LaHaise
2014-08-22 16:01 ` Benjamin LaHaise
2014-08-22 16:15 ` Dan Aloni
2014-08-22 16:26 ` Benjamin LaHaise
2014-08-22 18:51 ` Dan Aloni
2014-08-22 21:43 ` Linus Torvalds
2014-08-24 18:11 ` Benjamin LaHaise
2014-08-26 1:11 ` Kent Overstreet
2014-08-24 18:05 ` Benjamin LaHaise
2014-08-24 18:48 ` Dan Aloni
2014-08-27 20:26 ` Jeff Moyer
2014-08-25 15:06 ` Elliott, Robert (Server Storage)
2014-08-25 15:11 ` Benjamin LaHaise
2014-06-24 18:02 ` [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 Benjamin LaHaise
2014-06-24 18:23 ` Jeff Moyer
2014-06-24 18:39 ` Benjamin LaHaise [this message]
2014-06-24 19:21 ` Jeff Moyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140624183918.GM23137@kvack.org \
--to=bcrl@kvack.org \
--cc=jmoyer@redhat.com \
--cc=kmo@daterainc.com \
--cc=linux-aio@kvack.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mguzik@redhat.com \
--cc=pmatouse@redhat.com \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).