| From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001 |
| From: Benjamin LaHaise <bcrl@kvack.org> |
| Date: Tue, 24 Jun 2014 13:32:51 -0400 |
| Subject: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 |
| |
| From: Benjamin LaHaise <bcrl@kvack.org> |
| |
| commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream. |
| |
| A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 |
| by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to |
| aio_read_events_ring() failed to correctly limit the index into |
| ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of |
| an arbitrary page with a copy_to_user() to copy the contents into userspace. |
| This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and |
| Petr for disclosing this issue. |
| |
| This patch applies to v3.12+. A separate backport is needed for 3.10/3.11. |
| |
| Signed-off-by: Benjamin LaHaise <bcrl@kvack.org> |
| Cc: Mateusz Guzik <mguzik@redhat.com> |
| Cc: Petr Matousek <pmatouse@redhat.com> |
| Cc: Kent Overstreet <kmo@daterainc.com> |
| Cc: Jeff Moyer <jmoyer@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/aio.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/fs/aio.c |
| +++ b/fs/aio.c |
| @@ -1049,6 +1049,9 @@ static long aio_read_events_ring(struct |
| if (head == tail) |
| goto out; |
| |
| + head %= ctx->nr_events; |
| + tail %= ctx->nr_events; |
| + |
| while (ret < nr) { |
| long avail; |
| struct io_event *ev; |