Linux v3.9.5
This commit is contained in:
parent
33c1a67054
commit
a5e016d48a
|
@ -1,63 +0,0 @@
|
|||
From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Thu, 23 May 2013 17:32:17 +0000
|
||||
Subject: iscsi-target: fix heap buffer overflow on error
|
||||
|
||||
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
|
||||
error response packet, generated by iscsi_add_notunderstood_response(),
|
||||
would still attempt to copy the entire key into the packet, overflowing
|
||||
the structure on the heap.
|
||||
|
||||
Remote preauthentication kernel memory corruption was possible if a
|
||||
target was configured and listening on the network.
|
||||
|
||||
CVE-2013-2850
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
||||
---
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
index c2185fc..e382221 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
|
||||
}
|
||||
INIT_LIST_HEAD(&extra_response->er_list);
|
||||
|
||||
- strncpy(extra_response->key, key, strlen(key) + 1);
|
||||
- strncpy(extra_response->value, NOTUNDERSTOOD,
|
||||
- strlen(NOTUNDERSTOOD) + 1);
|
||||
+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
|
||||
+ strlcpy(extra_response->value, NOTUNDERSTOOD,
|
||||
+ sizeof(extra_response->value));
|
||||
|
||||
list_add_tail(&extra_response->er_list,
|
||||
¶m_list->extra_response_list);
|
||||
@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
|
||||
|
||||
if (phase & PHASE_SECURITY) {
|
||||
if (iscsi_check_for_auth_key(key) > 0) {
|
||||
- char *tmpptr = key + strlen(key);
|
||||
- *tmpptr = '=';
|
||||
kfree(tmpbuf);
|
||||
return 1;
|
||||
}
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
index 915b067..a47046a 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
@@ -1,8 +1,10 @@
|
||||
#ifndef ISCSI_PARAMETERS_H
|
||||
#define ISCSI_PARAMETERS_H
|
||||
|
||||
+#include <scsi/iscsi_proto.h>
|
||||
+
|
||||
struct iscsi_extra_response {
|
||||
- char key[64];
|
||||
+ char key[KEY_MAXLEN];
|
||||
char value[32];
|
||||
struct list_head er_list;
|
||||
} ____cacheline_aligned;
|
||||
--
|
||||
cgit v0.9.2
|
|
@ -1,39 +0,0 @@
|
|||
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
|
||||
In 63b77bf489881747c5118476918cc8c29378ee63
|
||||
|
||||
iwlwifi: dvm: don't send zeroed LQ cmd
|
||||
|
||||
I tried to avoid to send zeroed LQ cmd, but I made a (very)
|
||||
stupid mistake in the memcmp.
|
||||
Since this patch has been ported to stable, the fix should
|
||||
go to stable too.
|
||||
|
||||
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=58341
|
||||
|
||||
Change-Id: I0af4b3fdd537a1f674e85eb02dc0f5b5ac1ee7ac
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>
|
||||
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
|
||||
---
|
||||
Josh, this fix ugly -stable 3.8, 3.9 regression, please apply.
|
||||
|
||||
drivers/net/wireless/iwlwifi/dvm/sta.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/iwlwifi/dvm/sta.c b/drivers/net/wireless/iwlwifi/dvm/sta.c
|
||||
index 5175368..8212097 100644
|
||||
--- a/drivers/net/wireless/iwlwifi/dvm/sta.c
|
||||
+++ b/drivers/net/wireless/iwlwifi/dvm/sta.c
|
||||
@@ -735,7 +735,7 @@ void iwl_restore_stations(struct iwl_priv *priv, struct iwl_rxon_context *ctx)
|
||||
memcpy(&lq, priv->stations[i].lq,
|
||||
sizeof(struct iwl_link_quality_cmd));
|
||||
|
||||
- if (!memcmp(&lq, &zero_lq, sizeof(lq)))
|
||||
+ if (memcmp(&lq, &zero_lq, sizeof(lq)))
|
||||
send_lq = true;
|
||||
}
|
||||
spin_unlock_bh(&priv->sta_lock);
|
||||
--
|
||||
1.7.10.4
|
||||
|
17
kernel.spec
17
kernel.spec
|
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 202
|
||||
%global baserelease 200
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 4
|
||||
%define stable_update 5
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -753,17 +753,12 @@ Patch25001: i7300_edac_single_mode_fixup.patch
|
|||
#rhbz 927469
|
||||
Patch25007: fix-child-thread-introspection.patch
|
||||
|
||||
Patch25022: iwlwifi-dvm-fix-memset.patch
|
||||
|
||||
#rhbz 964367
|
||||
Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
|
||||
|
||||
#rhbz 948262
|
||||
Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
||||
|
||||
#CVE-2013-2850 rhbz 968036 969272
|
||||
Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch
|
||||
|
||||
#rhbz 964335
|
||||
Patch25026: Modify-UEFI-anti-bricking-code.patch
|
||||
|
||||
|
@ -1473,17 +1468,12 @@ ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch
|
|||
#rhbz 927469
|
||||
ApplyPatch fix-child-thread-introspection.patch
|
||||
|
||||
ApplyPatch iwlwifi-dvm-fix-memset.patch
|
||||
|
||||
#rhbz 964367
|
||||
ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
|
||||
|
||||
#rhbz 948262
|
||||
ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
|
||||
|
||||
#CVE-2013-2850 rhbz 968036 969272
|
||||
ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch
|
||||
|
||||
#rhbz 964335
|
||||
ApplyPatch Modify-UEFI-anti-bricking-code.patch
|
||||
|
||||
|
@ -2347,6 +2337,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Jun 10 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- Linux v3.9.5
|
||||
|
||||
* Fri Jun 07 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
|
||||
- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
|
||||
|
|
Loading…
Reference in New Issue