On Wed, Jun 25, 2014 at 02:36:57PM -0700, Zach Brown wrote: > On Wed, Jun 25, 2014 at 04:50:51PM -0400, Jeff Moyer wrote: > > > > From: Benjamin LaHaise <[email protected]> > > > > A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 > > by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to > > aio_read_events_ring() failed to correctly limit the index into > > ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of > > an arbitrary page with a copy_to_user() to copy the contents into userspace. > > This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and > > Petr for disclosing this issue. > > > > [[email protected]: backported to 3.10] > > Signed-off-by: Benjamin LaHaise <[email protected]> > > Signed-off-by: Jeff Moyer <[email protected]> > > Cc: Mateusz Guzik <[email protected]> > > Cc: Petr Matousek <[email protected]> > > Cc: Kent Overstreet <[email protected]> > > Cc: [email protected] > > --- > > aio.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/fs/aio.c b/fs/aio.c > > index e66b948..872fd26 100644 > > --- a/fs/aio.c > > +++ b/fs/aio.c > > @@ -717,6 +717,8 @@ static long aio_read_events_ring(struct kioctx *ctx, > > if (head == ctx->tail) > > goto out; > > > > + head %= ctx->nr_events; > > + > > while (ret < nr) { > > long avail; > > struct io_event *ev; > > > Hmm. Are you sure it's safe to clamp head but not ctx->tail? The body > of the loop still has: > > avail = (head <= ctx->tail ? ctx->tail : ctx->nr_events) - head;
Oops, nope, my mistake! ctx->tail is still stored modulo nr_events. I somehow had it in my head that the giant series patches had changed that. Never mind. Carry on :). - z -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
