From 4d67b5bc522925ae66f4fd783e391baa5ed73d61 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 7 Jun 2013 08:23:01 -0400 Subject: [PATCH] CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662) --- ...ot-pass-disk-names-as-format-strings.patch | 64 +++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 71 insertions(+) create mode 100644 block-do-not-pass-disk-names-as-format-strings.patch diff --git a/block-do-not-pass-disk-names-as-format-strings.patch b/block-do-not-pass-disk-names-as-format-strings.patch new file mode 100644 index 000000000..496111dcd --- /dev/null +++ b/block-do-not-pass-disk-names-as-format-strings.patch @@ -0,0 +1,64 @@ +Disk names may contain arbitrary strings, so they must not be interpreted +as format strings. It seems that only md allows arbitrary strings to be +used for disk names, but this could allow for a local memory corruption +from uid 0 into ring 0. + +CVE-2013-2851 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Cc: Jens Axboe +--- + block/genhd.c | 2 +- + drivers/block/nbd.c | 3 ++- + drivers/scsi/osd/osd_uld.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/block/genhd.c b/block/genhd.c +index 20625ee..cdeb527 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 037288e..46b35f7 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, + else + blk_queue_flush(nbd->disk->queue, 0); + +- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); ++ thread = kthread_create(nbd_thread, nbd, "%s", ++ nbd->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&nbd->tx_lock); + return PTR_ERR(thread); +diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c +index 0fab6b5..9d86947 100644 +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; +-- +1.7.9.5 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 9db2ea6b3..f9d09acea 100644 --- a/kernel.spec +++ b/kernel.spec @@ -754,6 +754,9 @@ Patch25033: fanotify-info-leak-in-copy_event_to_user.patch #CVE-2013-2852 rhbz 969518 971665 Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch +#CVE-2013-2851 rhbz 969515 971662 +Patch25035: block-do-not-pass-disk-names-as-format-strings.patch + # END OF PATCH DEFINITIONS %endif @@ -1451,6 +1454,9 @@ ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch #CVE-2013-2852 rhbz 969518 971665 ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch +#CVE-2013-2851 rhbz 969515 971662 +ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch + # END OF PATCH APPLICATIONS %endif @@ -2257,6 +2263,7 @@ fi # || || %changelog * Fri Jun 07 2013 Josh Boyer +- CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662) - CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665) * Thu Jun 06 2013 Josh Boyer