CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
This commit is contained in:
parent
82b54fdc46
commit
b9ce3498af
45
cdrom-use-kzalloc-for-failing-hardware.patch
Normal file
45
cdrom-use-kzalloc-for-failing-hardware.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jonathan Salwan <jonathan.salwan@gmail.com>
|
||||||
|
Date: Thu, 06 Jun 2013 00:39:39 +0000
|
||||||
|
Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
|
||||||
|
|
||||||
|
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
|
||||||
|
area with kmalloc in line 2885.
|
||||||
|
|
||||||
|
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||||
|
2886 if (cgc->buffer == NULL)
|
||||||
|
2887 return -ENOMEM;
|
||||||
|
|
||||||
|
In line 2908 we can find the copy_to_user function:
|
||||||
|
|
||||||
|
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
|
||||||
|
|
||||||
|
The cgc->buffer is never cleaned and initialized before this function. If
|
||||||
|
ret = 0 with the previous basic block, it's possible to display some
|
||||||
|
memory bytes in kernel space from userspace.
|
||||||
|
|
||||||
|
When we read a block from the disk it normally fills the ->buffer but if
|
||||||
|
the drive is malfunctioning there is a chance that it would only be
|
||||||
|
partially filled. The result is an leak information to userspace.
|
||||||
|
|
||||||
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Cc: Jens Axboe <axboe@kernel.dk>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
---
|
||||||
|
(limited to 'drivers/cdrom/cdrom.c')
|
||||||
|
|
||||||
|
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||||
|
index d620b44..8a3aff7 100644
|
||||||
|
--- a/drivers/cdrom/cdrom.c
|
||||||
|
+++ b/drivers/cdrom/cdrom.c
|
||||||
|
@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
|
||||||
|
if (lba < 0)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||||
|
+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
|
||||||
|
if (cgc->buffer == NULL)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
--
|
||||||
|
cgit v0.9.2
|
11
kernel.spec
11
kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
|||||||
# For non-released -rc kernels, this will be appended after the rcX and
|
# For non-released -rc kernels, this will be appended after the rcX and
|
||||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||||
#
|
#
|
||||||
%global baserelease 2
|
%global baserelease 3
|
||||||
%global fedora_build %{baserelease}
|
%global fedora_build %{baserelease}
|
||||||
|
|
||||||
# base_sublevel is the kernel version we're starting with and patching
|
# base_sublevel is the kernel version we're starting with and patching
|
||||||
@ -757,6 +757,9 @@ Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
|
|||||||
#CVE-2013-2851 rhbz 969515 971662
|
#CVE-2013-2851 rhbz 969515 971662
|
||||||
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
||||||
|
|
||||||
|
#CVE-2013-2164 rhbz 973100 973109
|
||||||
|
Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1457,6 +1460,9 @@ ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
|
|||||||
#CVE-2013-2851 rhbz 969515 971662
|
#CVE-2013-2851 rhbz 969515 971662
|
||||||
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
||||||
|
|
||||||
|
#CVE-2013-2164 rhbz 973100 973109
|
||||||
|
ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2262,6 +2268,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 11 2013 Josh Boyer <jwboyer@redhat.com>
|
||||||
|
- CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
|
||||||
|
|
||||||
* Mon Jun 10 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
* Mon Jun 10 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||||
- Enable Freescale i.MX platforms and initial config
|
- Enable Freescale i.MX platforms and initial config
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user