CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
This commit is contained in:
parent
ebfa77478c
commit
579e4ff693
@ -760,6 +760,9 @@ Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
|
|||||||
Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch
|
Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch
|
||||||
Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
|
Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
|
||||||
|
|
||||||
|
#CVE-2013-6378 rhbz 1033578 1034183
|
||||||
|
Patch25155: libertas-potential-oops-in-debugfs.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1488,6 +1491,9 @@ ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
|
|||||||
ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch
|
ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch
|
||||||
ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
|
ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
|
||||||
|
|
||||||
|
#CVE-2013-6378 rhbz 1033578 1034183
|
||||||
|
ApplyPatch libertas-potential-oops-in-debugfs.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2291,6 +2297,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 25 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
|
||||||
|
|
||||||
* Sat Nov 23 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
* Sat Nov 23 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||||
- Fix ARM Utilite DTB
|
- Fix ARM Utilite DTB
|
||||||
- Enable FSL RTC (for i.MX6)
|
- Enable FSL RTC (for i.MX6)
|
||||||
|
50
libertas-potential-oops-in-debugfs.patch
Normal file
50
libertas-potential-oops-in-debugfs.patch
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
Bugzilla: 1034183
|
||||||
|
Upstream-status: 3.13
|
||||||
|
|
||||||
|
From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Date: Wed, 30 Oct 2013 20:12:51 +0300
|
||||||
|
Subject: [PATCH] libertas: potential oops in debugfs
|
||||||
|
|
||||||
|
If we do a zero size allocation then it will oops. Also we can't be
|
||||||
|
sure the user passes us a NUL terminated string so I've added a
|
||||||
|
terminator.
|
||||||
|
|
||||||
|
This code can only be triggered by root.
|
||||||
|
|
||||||
|
Reported-by: Nico Golde <nico@ngolde.de>
|
||||||
|
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||||
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Acked-by: Dan Williams <dcbw@redhat.com>
|
||||||
|
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
||||||
|
---
|
||||||
|
drivers/net/wireless/libertas/debugfs.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
|
||||||
|
index 668dd27..cc6a0a5 100644
|
||||||
|
--- a/drivers/net/wireless/libertas/debugfs.c
|
||||||
|
+++ b/drivers/net/wireless/libertas/debugfs.c
|
||||||
|
@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
|
||||||
|
char *p2;
|
||||||
|
struct debug_data *d = f->private_data;
|
||||||
|
|
||||||
|
- pdata = kmalloc(cnt, GFP_KERNEL);
|
||||||
|
+ if (cnt == 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ pdata = kmalloc(cnt + 1, GFP_KERNEL);
|
||||||
|
if (pdata == NULL)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
|
||||||
|
kfree(pdata);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ pdata[cnt] = '\0';
|
||||||
|
|
||||||
|
p0 = pdata;
|
||||||
|
for (i = 0; i < num_of_items; i++) {
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
Loading…
Reference in New Issue
Block a user