On Wed, Jun 25, 2014 at 04:50:51PM -0400, Jeff Moyer wrote: > > From: Benjamin LaHaise <[email protected]> > > A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10 > by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to > aio_read_events_ring() failed to correctly limit the index into > ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of > an arbitrary page with a copy_to_user() to copy the contents into userspace. > This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and > Petr for disclosing this issue. > > [[email protected]: backported to 3.10] > Signed-off-by: Benjamin LaHaise <[email protected]> > Signed-off-by: Jeff Moyer <[email protected]> > Cc: Mateusz Guzik <[email protected]> > Cc: Petr Matousek <[email protected]> > Cc: Kent Overstreet <[email protected]> > Cc: [email protected] > --- > aio.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/aio.c b/fs/aio.c > index e66b948..872fd26 100644 > --- a/fs/aio.c > +++ b/fs/aio.c > @@ -717,6 +717,8 @@ static long aio_read_events_ring(struct kioctx *ctx, > if (head == ctx->tail) > goto out; > > + head %= ctx->nr_events; > + > while (ret < nr) { > long avail; > struct io_event *ev; > -- > To unsubscribe from this list: send the line "unsubscribe stable" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html
Thanks, I'll queue it for the 3.11 kernel as well. Cheers, -- Luís -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
