summaryrefslogtreecommitdiffstats
path: root/drivers/md/md.c
diff options
context:
space:
mode:
authorBenjamin Randazzo <benjamin@randazzo.fr>2015-07-25 16:36:50 +0200
committerNeilBrown <neilb@suse.com>2015-08-03 06:56:02 +0200
commitb6878d9e03043695dbf3fa1caa6dfc09db225b16 (patch)
tree510bad0d0725ea8c6bebd28bec5ec350637805c8 /drivers/md/md.c
parentmd/raid1: extend spinlock to protect raid1_end_read_request against inconsist... (diff)
downloadlinux-b6878d9e03043695dbf3fa1caa6dfc09db225b16.tar.xz
linux-b6878d9e03043695dbf3fa1caa6dfc09db225b16.zip
md: use kzalloc() when bitmap is disabled
In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a mdu_bitmap_file_t called "file". 5769 file = kmalloc(sizeof(*file), GFP_NOIO); 5770 if (!file) 5771 return -ENOMEM; This structure is copied to user space at the end of the function. 5786 if (err == 0 && 5787 copy_to_user(arg, file, sizeof(*file))) 5788 err = -EFAULT But if bitmap is disabled only the first byte of "file" is initialized with zero, so it's possible to read some bytes (up to 4095) of kernel space memory from user space. This is an information leak. 5775 /* bitmap disabled, zero the first byte and copy out */ 5776 if (!mddev->bitmap_info.file) 5777 file->pathname[0] = '\0'; Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> Signed-off-by: NeilBrown <neilb@suse.com>
Diffstat (limited to 'drivers/md/md.c')
-rw-r--r--drivers/md/md.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 0c2a4e8b873c..e25f00f0138a 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -5759,7 +5759,7 @@ static int get_bitmap_file(struct mddev *mddev, void __user * arg)
char *ptr;
int err;
- file = kmalloc(sizeof(*file), GFP_NOIO);
+ file = kzalloc(sizeof(*file), GFP_NOIO);
if (!file)
return -ENOMEM;