• Benjamin LaHaise's avatar
    aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 · d36db46c
    Benjamin LaHaise authored
    commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream.
    
    A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
    by commit a31ad380.  The changes made to
    aio_read_events_ring() failed to correctly limit the index into
    ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
    an arbitrary page with a copy_to_user() to copy the contents into userspace.
    This vulnerability has been assigned CVE-2014-0206.  Thanks to Mateusz and
    Petr for disclosing this issue.
    
    This patch applies to v3.12+.  A separate backport is needed for 3.10/3.11.
    
    [jmoyer@redhat.com: backported to 3.10]
    Signed-off-by: 's avatarBenjamin LaHaise <bcrl@kvack.org>
    Signed-off-by: 's avatarJeff Moyer <jmoyer@redhat.com>
    Cc: Mateusz Guzik <mguzik@redhat.com>
    Cc: Petr Matousek <pmatouse@redhat.com>
    Cc: Kent Overstreet <kmo@daterainc.com>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    d36db46c
aio.c 32.8 KB