CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
This commit is contained in:
parent
be3c5103be
commit
4d67b5bc52
64
block-do-not-pass-disk-names-as-format-strings.patch
Normal file
64
block-do-not-pass-disk-names-as-format-strings.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
Disk names may contain arbitrary strings, so they must not be interpreted
|
||||||
|
as format strings. It seems that only md allows arbitrary strings to be
|
||||||
|
used for disk names, but this could allow for a local memory corruption
|
||||||
|
from uid 0 into ring 0.
|
||||||
|
|
||||||
|
CVE-2013-2851
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Cc: Jens Axboe <axboe@kernel.dk>
|
||||||
|
---
|
||||||
|
block/genhd.c | 2 +-
|
||||||
|
drivers/block/nbd.c | 3 ++-
|
||||||
|
drivers/scsi/osd/osd_uld.c | 2 +-
|
||||||
|
3 files changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/block/genhd.c b/block/genhd.c
|
||||||
|
index 20625ee..cdeb527 100644
|
||||||
|
--- a/block/genhd.c
|
||||||
|
+++ b/block/genhd.c
|
||||||
|
@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
|
||||||
|
|
||||||
|
ddev->parent = disk->driverfs_dev;
|
||||||
|
|
||||||
|
- dev_set_name(ddev, disk->disk_name);
|
||||||
|
+ dev_set_name(ddev, "%s", disk->disk_name);
|
||||||
|
|
||||||
|
/* delay uevents, until we scanned partition table */
|
||||||
|
dev_set_uevent_suppress(ddev, 1);
|
||||||
|
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
|
||||||
|
index 037288e..46b35f7 100644
|
||||||
|
--- a/drivers/block/nbd.c
|
||||||
|
+++ b/drivers/block/nbd.c
|
||||||
|
@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
|
||||||
|
else
|
||||||
|
blk_queue_flush(nbd->disk->queue, 0);
|
||||||
|
|
||||||
|
- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
|
||||||
|
+ thread = kthread_create(nbd_thread, nbd, "%s",
|
||||||
|
+ nbd->disk->disk_name);
|
||||||
|
if (IS_ERR(thread)) {
|
||||||
|
mutex_lock(&nbd->tx_lock);
|
||||||
|
return PTR_ERR(thread);
|
||||||
|
diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
|
||||||
|
index 0fab6b5..9d86947 100644
|
||||||
|
--- a/drivers/scsi/osd/osd_uld.c
|
||||||
|
+++ b/drivers/scsi/osd/osd_uld.c
|
||||||
|
@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
|
||||||
|
oud->class_dev.class = &osd_uld_class;
|
||||||
|
oud->class_dev.parent = dev;
|
||||||
|
oud->class_dev.release = __remove;
|
||||||
|
- error = dev_set_name(&oud->class_dev, disk->disk_name);
|
||||||
|
+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
|
||||||
|
if (error) {
|
||||||
|
OSD_ERR("dev_set_name failed => %d\n", error);
|
||||||
|
goto err_put_cdev;
|
||||||
|
--
|
||||||
|
1.7.9.5
|
||||||
|
|
||||||
|
--
|
||||||
|
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||||
|
the body of a message to majordomo@vger.kernel.org
|
||||||
|
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||||
|
Please read the FAQ at http://www.tux.org/lkml/
|
@ -754,6 +754,9 @@ Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
|
|||||||
#CVE-2013-2852 rhbz 969518 971665
|
#CVE-2013-2852 rhbz 969518 971665
|
||||||
Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
|
Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
|
||||||
|
|
||||||
|
#CVE-2013-2851 rhbz 969515 971662
|
||||||
|
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1451,6 +1454,9 @@ ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
|
|||||||
#CVE-2013-2852 rhbz 969518 971665
|
#CVE-2013-2852 rhbz 969518 971665
|
||||||
ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
|
ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
|
||||||
|
|
||||||
|
#CVE-2013-2851 rhbz 969515 971662
|
||||||
|
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2257,6 +2263,7 @@ fi
|
|||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com>
|
* Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com>
|
||||||
|
- CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
|
||||||
- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
|
- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
|
||||||
|
|
||||||
* Thu Jun 06 2013 Josh Boyer <jwboyer@redhat.com>
|
* Thu Jun 06 2013 Josh Boyer <jwboyer@redhat.com>
|
||||||
|
Loading…
Reference in New Issue
Block a user