Linux v3.9.10
This commit is contained in:
parent
16dbebbb4b
commit
7eabed4227
|
@ -1,64 +0,0 @@
|
|||
Disk names may contain arbitrary strings, so they must not be interpreted
|
||||
as format strings. It seems that only md allows arbitrary strings to be
|
||||
used for disk names, but this could allow for a local memory corruption
|
||||
from uid 0 into ring 0.
|
||||
|
||||
CVE-2013-2851
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: Jens Axboe <axboe@kernel.dk>
|
||||
---
|
||||
block/genhd.c | 2 +-
|
||||
drivers/block/nbd.c | 3 ++-
|
||||
drivers/scsi/osd/osd_uld.c | 2 +-
|
||||
3 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/block/genhd.c b/block/genhd.c
|
||||
index 20625ee..cdeb527 100644
|
||||
--- a/block/genhd.c
|
||||
+++ b/block/genhd.c
|
||||
@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
|
||||
|
||||
ddev->parent = disk->driverfs_dev;
|
||||
|
||||
- dev_set_name(ddev, disk->disk_name);
|
||||
+ dev_set_name(ddev, "%s", disk->disk_name);
|
||||
|
||||
/* delay uevents, until we scanned partition table */
|
||||
dev_set_uevent_suppress(ddev, 1);
|
||||
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
|
||||
index 037288e..46b35f7 100644
|
||||
--- a/drivers/block/nbd.c
|
||||
+++ b/drivers/block/nbd.c
|
||||
@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
|
||||
else
|
||||
blk_queue_flush(nbd->disk->queue, 0);
|
||||
|
||||
- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
|
||||
+ thread = kthread_create(nbd_thread, nbd, "%s",
|
||||
+ nbd->disk->disk_name);
|
||||
if (IS_ERR(thread)) {
|
||||
mutex_lock(&nbd->tx_lock);
|
||||
return PTR_ERR(thread);
|
||||
diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
|
||||
index 0fab6b5..9d86947 100644
|
||||
--- a/drivers/scsi/osd/osd_uld.c
|
||||
+++ b/drivers/scsi/osd/osd_uld.c
|
||||
@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
|
||||
oud->class_dev.class = &osd_uld_class;
|
||||
oud->class_dev.parent = dev;
|
||||
oud->class_dev.release = __remove;
|
||||
- error = dev_set_name(&oud->class_dev, disk->disk_name);
|
||||
+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
|
||||
if (error) {
|
||||
OSD_ERR("dev_set_name failed => %d\n", error);
|
||||
goto err_put_cdev;
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
|
@ -1,45 +0,0 @@
|
|||
From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001
|
||||
From: Jonathan Salwan <jonathan.salwan@gmail.com>
|
||||
Date: Thu, 06 Jun 2013 00:39:39 +0000
|
||||
Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
|
||||
|
||||
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
|
||||
area with kmalloc in line 2885.
|
||||
|
||||
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||
2886 if (cgc->buffer == NULL)
|
||||
2887 return -ENOMEM;
|
||||
|
||||
In line 2908 we can find the copy_to_user function:
|
||||
|
||||
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
|
||||
|
||||
The cgc->buffer is never cleaned and initialized before this function. If
|
||||
ret = 0 with the previous basic block, it's possible to display some
|
||||
memory bytes in kernel space from userspace.
|
||||
|
||||
When we read a block from the disk it normally fills the ->buffer but if
|
||||
the drive is malfunctioning there is a chance that it would only be
|
||||
partially filled. The result is an leak information to userspace.
|
||||
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Cc: Jens Axboe <axboe@kernel.dk>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
(limited to 'drivers/cdrom/cdrom.c')
|
||||
|
||||
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||
index d620b44..8a3aff7 100644
|
||||
--- a/drivers/cdrom/cdrom.c
|
||||
+++ b/drivers/cdrom/cdrom.c
|
||||
@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
|
||||
if (lba < 0)
|
||||
return -EINVAL;
|
||||
|
||||
- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||
+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
|
||||
if (cgc->buffer == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
--
|
||||
cgit v0.9.2
|
|
@ -1,24 +0,0 @@
|
|||
diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c
|
||||
index 925ca58..0ef2458 100644
|
||||
--- a/net/ceph/auth_none.c
|
||||
+++ b/net/ceph/auth_none.c
|
||||
@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac)
|
||||
return xi->starting;
|
||||
}
|
||||
|
||||
+static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* the generic auth code decode the global_id, and we carry no actual
|
||||
* authenticate state, so nothing happens here.
|
||||
@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = {
|
||||
.destroy = destroy,
|
||||
.is_authenticated = is_authenticated,
|
||||
.should_authenticate = should_authenticate,
|
||||
+ .build_request = build_request,
|
||||
.handle_reply = handle_reply,
|
||||
.create_authorizer = ceph_auth_none_create_authorizer,
|
||||
.destroy_authorizer = ceph_auth_none_destroy_authorizer,
|
25
kernel.spec
25
kernel.spec
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 203
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 9
|
||||
%define stable_update 10
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -762,12 +762,6 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
|
|||
#CVE-2013-2148 rhbz 971258 971261
|
||||
Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
|
||||
|
||||
#CVE-2013-2851 rhbz 969515 971662
|
||||
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
||||
|
||||
#CVE-2013-2164 rhbz 973100 973109
|
||||
Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
|
||||
|
||||
#rhbz 969644
|
||||
Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
|
||||
|
||||
|
@ -796,9 +790,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch
|
|||
#CVE-2013-2234 rhbz 980995 981007
|
||||
Patch25058: af_key-fix-info-leaks-in-notify-messages.patch
|
||||
|
||||
#CVE-2013-1059 rhbz 977356 980341
|
||||
Patch25059: ceph-fix.patch
|
||||
|
||||
#CVE-2013-2232 rhbz 981552 981564
|
||||
Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
|
||||
|
||||
|
@ -1514,12 +1505,6 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
|
|||
#CVE-2013-2148 rhbz 971258 971261
|
||||
ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
|
||||
|
||||
#CVE-2013-2851 rhbz 969515 971662
|
||||
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
||||
|
||||
#CVE-2013-2164 rhbz 973100 973109
|
||||
ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
|
||||
|
||||
#rhbz 969644
|
||||
ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
|
||||
|
||||
|
@ -1547,9 +1532,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
|
|||
#CVE-2013-2234 rhbz 980995 981007
|
||||
ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch
|
||||
|
||||
#CVE-2013-1059 rhbz 977356 980341
|
||||
ApplyPatch ceph-fix.patch
|
||||
|
||||
#CVE-2013-2232 rhbz 981552 981564
|
||||
ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
|
||||
|
||||
|
@ -2410,6 +2392,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Sat Jul 13 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.10-200
|
||||
- Linux v3.9.10
|
||||
|
||||
* Fri Jul 12 2013 Dave Jones <davej@redhat.com> - 3.9.9-203
|
||||
- Disable LATENCYTOP/SCHEDSTATS in non-debug builds.
|
||||
|
||||
|
|
Loading…
Reference in New Issue