• Benjamin LaHaise's avatar
    aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 · edfbbf38
    Benjamin LaHaise authored
    A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
    by commit a31ad380.  The changes made to
    aio_read_events_ring() failed to correctly limit the index into
    ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
    an arbitrary page with a copy_to_user() to copy the contents into userspace.
    This vulnerability has been assigned CVE-2014-0206.  Thanks to Mateusz and
    Petr for disclosing this issue.
    
    This patch applies to v3.12+.  A separate backport is needed for 3.10/3.11.
    Signed-off-by: default avatarBenjamin LaHaise <bcrl@kvack.org>
    Cc: Mateusz Guzik <mguzik@redhat.com>
    Cc: Petr Matousek <pmatouse@redhat.com>
    Cc: Kent Overstreet <kmo@daterainc.com>
    Cc: Jeff Moyer <jmoyer@redhat.com>
    Cc: stable@vger.kernel.org
    edfbbf38
aio.c 39.6 KB