md: use kzalloc() when bitmap is disabled

commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream.

In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
mdu_bitmap_file_t called "file".

5769         file = kmalloc(sizeof(*file), GFP_NOIO);
5770         if (!file)
5771                 return -ENOMEM;

This structure is copied to user space at the end of the function.

5786         if (err == 0 &&
5787             copy_to_user(arg, file, sizeof(*file)))
5788                 err = -EFAULT

But if bitmap is disabled only the first byte of "file" is initialized
with zero, so it's possible to read some bytes (up to 4095) of kernel
space memory from user space. This is an information leak.

5775         /* bitmap disabled, zero the first byte and copy out */
5776         if (!mddev->bitmap_info.file)
5777                 file->pathname[0] = '\0';

Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr>
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 631fe3e9c6e558823699477a94c4ab303c2105a4..37ff00d014b42761aa2e5b1b2d4016380c18032c 100644 (file)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5628,9 +5628,9 @@ static int get_bitmap_file(struct mddev * mddev, void __user * arg)
        int err = -ENOMEM;
 
        if (md_allow_write(mddev))
-               file = kmalloc(sizeof(*file), GFP_NOIO);
+               file = kzalloc(sizeof(*file), GFP_NOIO);
        else
-               file = kmalloc(sizeof(*file), GFP_KERNEL);
+               file = kzalloc(sizeof(*file), GFP_KERNEL);
 
        if (!file)
                goto out;