CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
This commit is contained in:
parent
6bb74174a1
commit
2bd4b14565
|
@ -0,0 +1,45 @@
|
|||
From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001
|
||||
From: Jonathan Salwan <jonathan.salwan@gmail.com>
|
||||
Date: Thu, 06 Jun 2013 00:39:39 +0000
|
||||
Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
|
||||
|
||||
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
|
||||
area with kmalloc in line 2885.
|
||||
|
||||
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||
2886 if (cgc->buffer == NULL)
|
||||
2887 return -ENOMEM;
|
||||
|
||||
In line 2908 we can find the copy_to_user function:
|
||||
|
||||
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
|
||||
|
||||
The cgc->buffer is never cleaned and initialized before this function. If
|
||||
ret = 0 with the previous basic block, it's possible to display some
|
||||
memory bytes in kernel space from userspace.
|
||||
|
||||
When we read a block from the disk it normally fills the ->buffer but if
|
||||
the drive is malfunctioning there is a chance that it would only be
|
||||
partially filled. The result is an leak information to userspace.
|
||||
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Cc: Jens Axboe <axboe@kernel.dk>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
(limited to 'drivers/cdrom/cdrom.c')
|
||||
|
||||
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||
index d620b44..8a3aff7 100644
|
||||
--- a/drivers/cdrom/cdrom.c
|
||||
+++ b/drivers/cdrom/cdrom.c
|
||||
@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
|
||||
if (lba < 0)
|
||||
return -EINVAL;
|
||||
|
||||
- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||
+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
|
||||
if (cgc->buffer == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
--
|
||||
cgit v0.9.2
|
11
kernel.spec
11
kernel.spec
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 200
|
||||
%global baserelease 201
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -780,6 +780,9 @@ Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
|||
# Fix for build failure on powerpc in 3.9.5
|
||||
Patch25037: powerpc-3.9.5-fix.patch
|
||||
|
||||
#CVE-2013-2164 rhbz 973100 973109
|
||||
Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1498,6 +1501,9 @@ ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
|||
# Fix for build failure on powerpc in 3.9.5
|
||||
ApplyPatch powerpc-3.9.5-fix.patch
|
||||
|
||||
#CVE-2013-2164 rhbz 973100 973109
|
||||
ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2343,6 +2349,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Tue Jun 11 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
|
||||
|
||||
* Mon Jun 10 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.5-200
|
||||
- Linux v3.9.5
|
||||
|
||||
|
|
Loading…
Reference in New Issue