CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)

This commit is contained in:
Josh Boyer 2013-06-11 08:06:36 -04:00
parent 82b54fdc46
commit b9ce3498af
2 changed files with 55 additions and 1 deletions

View File

@ -0,0 +1,45 @@
From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001
From: Jonathan Salwan <jonathan.salwan@gmail.com>
Date: Thu, 06 Jun 2013 00:39:39 +0000
Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
area with kmalloc in line 2885.
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
2886 if (cgc->buffer == NULL)
2887 return -ENOMEM;
In line 2908 we can find the copy_to_user function:
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
The cgc->buffer is never cleaned and initialized before this function. If
ret = 0 with the previous basic block, it's possible to display some
memory bytes in kernel space from userspace.
When we read a block from the disk it normally fills the ->buffer but if
the drive is malfunctioning there is a chance that it would only be
partially filled. The result is an leak information to userspace.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
(limited to 'drivers/cdrom/cdrom.c')
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
index d620b44..8a3aff7 100644
--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
if (lba < 0)
return -EINVAL;
- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
if (cgc->buffer == NULL)
return -ENOMEM;
--
cgit v0.9.2

View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and # For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
# #
%global baserelease 2 %global baserelease 3
%global fedora_build %{baserelease} %global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching # base_sublevel is the kernel version we're starting with and patching
@ -757,6 +757,9 @@ Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
#CVE-2013-2851 rhbz 969515 971662 #CVE-2013-2851 rhbz 969515 971662
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
#CVE-2013-2164 rhbz 973100 973109
Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -1457,6 +1460,9 @@ ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
#CVE-2013-2851 rhbz 969515 971662 #CVE-2013-2851 rhbz 969515 971662
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
#CVE-2013-2164 rhbz 973100 973109
ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
%endif %endif
@ -2262,6 +2268,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Tue Jun 11 2013 Josh Boyer <jwboyer@redhat.com>
- CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
* Mon Jun 10 2013 Peter Robinson <pbrobinson@fedoraproject.org> * Mon Jun 10 2013 Peter Robinson <pbrobinson@fedoraproject.org>
- Enable Freescale i.MX platforms and initial config - Enable Freescale i.MX platforms and initial config