CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
This commit is contained in:
Josh Boyer
parent
82b54fdc46
commit
b9ce3498af
45
cdrom-use-kzalloc-for-failing-hardware.patch
Normal file
45
cdrom-use-kzalloc-for-failing-hardware.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001
|
||||
From: Jonathan Salwan <jonathan.salwan@gmail.com>
|
||||
Date: Thu, 06 Jun 2013 00:39:39 +0000
|
||||
Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
|
||||
|
||||
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
|
||||
area with kmalloc in line 2885.
|
||||
|
||||
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||
2886 if (cgc->buffer == NULL)
|
||||
2887 return -ENOMEM;
|
||||
|
||||
In line 2908 we can find the copy_to_user function:
|
||||
|
||||
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
|
||||
|
||||
The cgc->buffer is never cleaned and initialized before this function. If
|
||||
ret = 0 with the previous basic block, it's possible to display some
|
||||
memory bytes in kernel space from userspace.
|
||||
|
||||
When we read a block from the disk it normally fills the ->buffer but if
|
||||
the drive is malfunctioning there is a chance that it would only be
|
||||
partially filled. The result is an leak information to userspace.
|
||||
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Cc: Jens Axboe <axboe@kernel.dk>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
(limited to 'drivers/cdrom/cdrom.c')
|
||||
|
||||
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||
index d620b44..8a3aff7 100644
|
||||
--- a/drivers/cdrom/cdrom.c
|
||||
+++ b/drivers/cdrom/cdrom.c
|
||||
@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
|
||||
if (lba < 0)
|
||||
return -EINVAL;
|
||||
|
||||
- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||
+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
|
||||
if (cgc->buffer == NULL)
|
||||
return -ENOMEM;
|
||||
|
||||
--
|
||||
cgit v0.9.2
|
||||
11
kernel.spec
11
kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
||||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 2
|
||||
%global baserelease 3
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -757,6 +757,9 @@ Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
|
||||
#CVE-2013-2851 rhbz 969515 971662
|
||||
Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
|
||||
|
||||
#CVE-2013-2164 rhbz 973100 973109
|
||||
Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -1457,6 +1460,9 @@ ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
|
||||
#CVE-2013-2851 rhbz 969515 971662
|
||||
ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
|
||||
|
||||
#CVE-2013-2164 rhbz 973100 973109
|
||||
ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
@ -2262,6 +2268,9 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Tue Jun 11 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
|
||||
|
||||
* Mon Jun 10 2013 Peter Robinson <pbrobinson@fedoraproject.org>
|
||||
- Enable Freescale i.MX platforms and initial config
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user