rpms/kernel
9
2
Fork 4
Code Issues Pull Requests Releases Activity

CVE-2013-2850 iscsi-target: heap buffer overflow on large key error (rhbz 968036 969272)

Browse Source
This commit is contained in:
Josh Boyer 2013-05-31 07:33:17 -04:00
parent b94ced6c9a
commit 74e1b9e160
2 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
iscsi-target-fix-heap-buffer-overflow-on-error.patch Normal file
View File

@ -0,0 +1,63 @@
From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Thu, 23 May 2013 17:32:17 +0000
Subject: iscsi-target: fix heap buffer overflow on error
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.
Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.
CVE-2013-2850
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
---
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
index c2185fc..e382221 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
}
INIT_LIST_HEAD(&extra_response->er_list);
- strncpy(extra_response->key, key, strlen(key) + 1);
- strncpy(extra_response->value, NOTUNDERSTOOD,
- strlen(NOTUNDERSTOOD) + 1);
+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
+ strlcpy(extra_response->value, NOTUNDERSTOOD,
+ sizeof(extra_response->value));
list_add_tail(&extra_response->er_list,
&param_list->extra_response_list);
@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
if (phase & PHASE_SECURITY) {
if (iscsi_check_for_auth_key(key) > 0) {
- char *tmpptr = key + strlen(key);
- *tmpptr = '=';
kfree(tmpbuf);
return 1;
}
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
index 915b067..a47046a 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -1,8 +1,10 @@
#ifndef ISCSI_PARAMETERS_H
#define ISCSI_PARAMETERS_H
+#include <scsi/iscsi_proto.h>
+
struct iscsi_extra_response {
- char key[64];
+ char key[KEY_MAXLEN];
char value[32];
struct list_head er_list;
} ____cacheline_aligned;
--
cgit v0.9.2

9
kernel.spec
View File

@ -739,6 +739,9 @@ Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
#rhbz 948262 #rhbz 948262
Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
#CVE-2013-2850 rhbz 968036 969272
Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -1423,6 +1426,9 @@ ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
#rhbz 948262 #rhbz 948262
ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
#CVE-2013-2850 rhbz 968036 969272
ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
%endif %endif
@ -2228,6 +2234,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Fri May 31 2013 Josh Boyer <jwboyer@redhat.com>
- CVE-2013-2850 iscsi-target: heap buffer overflow on large key error (rhbz 968036 969272)
* Thu May 30 2013 Peter Robinson <pbrobinson@fedoraproject.org> * Thu May 30 2013 Peter Robinson <pbrobinson@fedoraproject.org>
- Minor ARM config update for tegra (AC100) - Minor ARM config update for tegra (AC100)