diff --git a/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/iscsi-target-fix-heap-buffer-overflow-on-error.patch new file mode 100644 index 000000000..7b368122d --- /dev/null +++ b/iscsi-target-fix-heap-buffer-overflow-on-error.patch @@ -0,0 +1,63 @@ +From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 23 May 2013 17:32:17 +0000 +Subject: iscsi-target: fix heap buffer overflow on error + +If a key was larger than 64 bytes, as checked by iscsi_check_key(), the +error response packet, generated by iscsi_add_notunderstood_response(), +would still attempt to copy the entire key into the packet, overflowing +the structure on the heap. + +Remote preauthentication kernel memory corruption was possible if a +target was configured and listening on the network. + +CVE-2013-2850 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Signed-off-by: Nicholas Bellinger +--- +diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c +index c2185fc..e382221 100644 +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( + } + INIT_LIST_HEAD(&extra_response->er_list); + +- strncpy(extra_response->key, key, strlen(key) + 1); +- strncpy(extra_response->value, NOTUNDERSTOOD, +- strlen(NOTUNDERSTOOD) + 1); ++ strlcpy(extra_response->key, key, sizeof(extra_response->key)); ++ strlcpy(extra_response->value, NOTUNDERSTOOD, ++ sizeof(extra_response->value)); + + list_add_tail(&extra_response->er_list, + ¶m_list->extra_response_list); +@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( + + if (phase & PHASE_SECURITY) { + if (iscsi_check_for_auth_key(key) > 0) { +- char *tmpptr = key + strlen(key); +- *tmpptr = '='; + kfree(tmpbuf); + return 1; + } +diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h +index 915b067..a47046a 100644 +--- a/drivers/target/iscsi/iscsi_target_parameters.h ++++ b/drivers/target/iscsi/iscsi_target_parameters.h +@@ -1,8 +1,10 @@ + #ifndef ISCSI_PARAMETERS_H + #define ISCSI_PARAMETERS_H + ++#include ++ + struct iscsi_extra_response { +- char key[64]; ++ char key[KEY_MAXLEN]; + char value[32]; + struct list_head er_list; + } ____cacheline_aligned; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 8b706f806..5bd819078 100644 --- a/kernel.spec +++ b/kernel.spec @@ -739,6 +739,9 @@ Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch +#CVE-2013-2850 rhbz 968036 969272 +Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch + # END OF PATCH DEFINITIONS %endif @@ -1423,6 +1426,9 @@ ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch +#CVE-2013-2850 rhbz 968036 969272 +ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch + # END OF PATCH APPLICATIONS %endif @@ -2228,6 +2234,9 @@ fi # ||----w | # || || %changelog +* Fri May 31 2013 Josh Boyer +- CVE-2013-2850 iscsi-target: heap buffer overflow on large key error (rhbz 968036 969272) + * Thu May 30 2013 Peter Robinson - Minor ARM config update for tegra (AC100)