A kernel memory disclosure was introduced in aio_read_events_ring() in
v3.10 by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes
made to aio_read_events_ring() failed to correctly limit the index into
ctx->ring_pages[], allowing an attacker to cause the subsequent kmap()
of an arbitrary page with a copy_to_user() to copy the contents into
userspace.
Upstream patches:
https://lkml.org/lkml/2014/6/24/619
https://lkml.org/lkml/2014/6/24/623
This issue was discovered by Mateusz Guzik of Red Hat.
– Petr Matousek / Red Hat Product Security PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA