CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)

This commit is contained in:
Josh Boyer 2013-06-07 08:23:01 -04:00
parent be3c5103be
commit 4d67b5bc52
2 changed files with 71 additions and 0 deletions

View File

@ -0,0 +1,64 @@
Disk names may contain arbitrary strings, so they must not be interpreted
as format strings. It seems that only md allows arbitrary strings to be
used for disk names, but this could allow for a local memory corruption
from uid 0 into ring 0.
CVE-2013-2851
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>
---
block/genhd.c | 2 +-
drivers/block/nbd.c | 3 ++-
drivers/scsi/osd/osd_uld.c | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/block/genhd.c b/block/genhd.c
index 20625ee..cdeb527 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
ddev->parent = disk->driverfs_dev;
- dev_set_name(ddev, disk->disk_name);
+ dev_set_name(ddev, "%s", disk->disk_name);
/* delay uevents, until we scanned partition table */
dev_set_uevent_suppress(ddev, 1);
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 037288e..46b35f7 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
else
blk_queue_flush(nbd->disk->queue, 0);
- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
+ thread = kthread_create(nbd_thread, nbd, "%s",
+ nbd->disk->disk_name);
if (IS_ERR(thread)) {
mutex_lock(&nbd->tx_lock);
return PTR_ERR(thread);
diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
index 0fab6b5..9d86947 100644
--- a/drivers/scsi/osd/osd_uld.c
+++ b/drivers/scsi/osd/osd_uld.c
@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
oud->class_dev.class = &osd_uld_class;
oud->class_dev.parent = dev;
oud->class_dev.release = __remove;
- error = dev_set_name(&oud->class_dev, disk->disk_name);
+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
if (error) {
OSD_ERR("dev_set_name failed => %d\n", error);
goto err_put_cdev;
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

View File

@ -754,6 +754,9 @@ Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
#CVE-2013-2852 rhbz 969518 971665 #CVE-2013-2852 rhbz 969518 971665
Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
#CVE-2013-2851 rhbz 969515 971662
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -1451,6 +1454,9 @@ ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
#CVE-2013-2852 rhbz 969518 971665 #CVE-2013-2852 rhbz 969518 971665
ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
#CVE-2013-2851 rhbz 969515 971662
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
%endif %endif
@ -2257,6 +2263,7 @@ fi
# || || # || ||
%changelog %changelog
* Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com> * Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com>
- CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665) - CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
* Thu Jun 06 2013 Josh Boyer <jwboyer@redhat.com> * Thu Jun 06 2013 Josh Boyer <jwboyer@redhat.com>