Re: [PATCH] target: Explicitly clear ramdisk_mcp backend pages

Luis Henriques <luis.henriques@xxxxxxxxxxxxx> · Mon, 30 Jun 2014 11:30:23 +0100

On Mon, Jun 16, 2014 at 08:59:52PM +0000, Nicholas A. Bellinger wrote:
> From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
> 
> Hi Greg,
> 
> Please apply the following patch to stable, as it addresses a potential
> security issue as reported by Jorge.
> 
> Note that a different patch to address the same issue went in during
> v3.15-rc1 (commit 4442dc8a), but includes a bunch of other changes that
> don't strictly apply to fixing the bug.
> 
> This is a one-liner that addresses the bug for all <= v3.14 versions.
> 
> Please apply.
> 
> Thanks,
> 
> --nab
> 

Thank you, I'll queue this patch for the 3.11 kernel as well.

Cheers,
--
Luís

> -------------------------------------------------------------------
> 
> This patch changes rd_allocate_sgl_table() to explicitly clear
> ramdisk_mcp backend memory pages by passing __GFP_ZERO into
> alloc_pages().
> 
> This addresses a potential security issue where reading from a
> ramdisk_mcp could return sensitive information, and follows what
> >= v3.15 does to explicitly clear ramdisk_mcp memory at backend
> device initialization time.
> 
> Reported-by: Jorge Daniel Sequeira Matias <jdsm@xxxxxxxxxxxxxxxxxx>
> Cc: Jorge Daniel Sequeira Matias <jdsm@xxxxxxxxxxxxxxxxxx>
> Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
> ---
>  drivers/target/target_core_rd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
> index b920db3..7b331b9 100644
> --- a/drivers/target/target_core_rd.c
> +++ b/drivers/target/target_core_rd.c
> @@ -158,7 +158,7 @@ static int rd_allocate_sgl_table(struct rd_dev *rd_dev, struct rd_dev_sg_table *
>  						- 1;
>  
>  		for (j = 0; j < sg_per_table; j++) {
> -			pg = alloc_pages(GFP_KERNEL, 0);
> +			pg = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
>  			if (!pg) {
>  				pr_err("Unable to allocate scatterlist"
>  					" pages for struct rd_dev_sg_table\n");
> -- 
> 1.8.5.3
> 
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html