Benjamin Randazzo 842c36214f md: use kzalloc() when bitmap is disabled ... commit b6878d9e03043695dbf3fa1caa6dfc09db225b16 upstream. In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a mdu_bitmap_file_t called "file". 5769 file = kmalloc(sizeof(*file), GFP_NOIO); 5770 if (!file) 5771 return -ENOMEM; This structure is copied to user space at the end of the function. 5786 if (err == 0 && 5787 copy_to_user(arg, file, sizeof(*file))) 5788 err = -EFAULT But if bitmap is disabled only the first byte of "file" is initialized with zero, so it's possible to read some bytes (up to 4095) of kernel space memory from user space. This is an information leak. 5775 /* bitmap disabled, zero the first byte and copy out */ 5776 if (!mddev->bitmap_info.file) 5777 file->pathname[0] = '\0'; Signed-off-by: Benjamin Randazzo <benjamin@randazzo.fr> Signed-off-by: NeilBrown <neilb@suse.com> [lizf: Backported to 3.4: fix both branches] Signed-off-by: Zefan Li <lizefan@huawei.com>		2015-09-18 09:20:46 +08:00
..
persistent-data	dm thin: fix discard corruption	2014-06-07 16:02:05 -07:00
bitmap.c
bitmap.h
dm-bio-record.h
dm-bufio.c	dm bufio: change __GFP_IO to __GFP_FS in shrinker callbacks	2015-02-02 17:05:16 +08:00
dm-bufio.h
dm-builtin.c	dm sysfs: fix a module unload race	2014-02-20 10:45:32 -08:00
dm-crypt.c	dm crypt: fix deadlock when async crypto algorithm returns -EBUSY	2015-09-18 09:20:30 +08:00
dm-delay.c	dm delay: fix a possible deadlock due to shared workqueue	2013-12-20 07:34:20 -08:00
dm-exception-store.c
dm-exception-store.h
dm-flakey.c	dm: fix truncated status strings	2013-12-08 07:29:43 -08:00
dm-io.c	dm io: deal with wandering queue limits when handling REQ_DISCARD and REQ_WRITE_SAME	2015-06-19 11:40:25 +08:00
dm-ioctl.c	dm: fix truncated status strings	2013-12-08 07:29:43 -08:00
dm-kcopyd.c
dm-linear.c	dm: fix truncated status strings	2013-12-08 07:29:43 -08:00
dm-log-userspace-base.c
dm-log-userspace-transfer.c	dm log userspace: fix memory leak in dm_ulog_tfr_init failure path	2015-02-02 17:04:47 +08:00
dm-log-userspace-transfer.h
dm-log.c
dm-mpath.c	dm mpath: fix race condition between multipath_dtr and pg_init_done	2014-06-07 16:02:05 -07:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h
dm-queue-length.c
dm-raid.c	dm raid: ensure superblock's size matches device's logical block size	2015-02-02 17:05:17 +08:00
dm-raid1.c	dm mirror: do not degrade the mirror on discard error	2015-06-19 11:40:16 +08:00
dm-region-hash.c
dm-round-robin.c
dm-service-time.c
dm-snap-persistent.c	dm snapshot: fix data corruption	2013-11-04 04:23:42 -08:00
dm-snap-transient.c
dm-snap.c	dm snapshot: fix a possible invalid memory access on unload	2015-06-19 11:40:17 +08:00
dm-stripe.c	dm: fix truncated status strings	2013-12-08 07:29:43 -08:00
dm-sysfs.c	dm sysfs: fix a module unload race	2014-02-20 10:45:32 -08:00
dm-table.c	dm table: fail dm_table_create on dm_round_up overflow	2013-12-20 07:34:20 -08:00
dm-target.c
dm-thin-metadata.c
dm-thin-metadata.h
dm-thin.c	dm thin: fix discard corruption	2014-06-07 16:02:05 -07:00
dm-uevent.c
dm-uevent.h
dm-verity.c	dm: fix truncated status strings	2013-12-08 07:29:43 -08:00
dm-zero.c
dm.c	dm: hold suspend_lock while suspending device during device deletion	2015-06-19 11:40:25 +08:00
dm.h	dm sysfs: fix a module unload race	2014-02-20 10:45:32 -08:00
faulty.c
Kconfig	dm sysfs: fix a module unload race	2014-02-20 10:45:32 -08:00
linear.c
linear.h
Makefile	dm sysfs: fix a module unload race	2014-02-20 10:45:32 -08:00
md.c	md: use kzalloc() when bitmap is disabled	2015-09-18 09:20:46 +08:00
md.h
multipath.c
multipath.h
raid0.c
raid0.h
raid1.c	md: Fix skipping recovery for read-only arrays.	2013-11-13 12:01:48 +09:00
raid1.h
raid5.c	md/raid5: don't record new size if resize_stripes fails.	2015-09-18 09:20:38 +08:00
raid5.h	md/raid5: fix interaction of 'replace' and 'recovery'.	2013-08-04 16:26:00 +08:00
raid10.c	md/raid10: fix "enough" function for detecting if array is failed.	2014-06-07 16:02:05 -07:00
raid10.h