[v2.7] kernel: arm64: copying from /dev/zero causes local DoS (CVE-2014-7843)
ARM64 currently doesn’t fix up faults on the single-byte (strb) case of
__clear_user… which means that we can cause a nasty kernel panic as
an ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
Fixed in 3.10.61 and 3.14.25 (please find the links below).
References:
CONFIRM: http://seclists.org/oss-sec/2014/q4/603
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1163744
COMMIT (upstream):
https://github.com/torvalds/linux/commit/97fc15436b36ee3956efad83e22a557991f7d19d
COMMIT (3.10.y):
https://github.com/torvalds/linux/commit/16640ca660f4980fb5c1f4e4febce19875f4c1b8
COMMIT (3.14.y):
https://github.com/torvalds/linux/commit/c6f8075d3934e493980fe83f8a746d74b98f5e51
(from redmine: issue id 3658, created on 2014-12-24, closed on 2017-09-05)
- Relations:
- parent #3656