diff options
| author | Josh Boyer <jwboyer@fedoraproject.org> | 2013-11-25 08:21:51 -0500 |
|---|---|---|
| committer | Josh Boyer <jwboyer@fedoraproject.org> | 2013-11-25 08:23:47 -0500 |
| commit | 579e4ff693ec2255010b8bc4aaba3d5aa62b3bc3 (patch) | |
| tree | 3ad8e457e4e824235302b5f32a4b3f33d34ca1ea | |
| parent | ebfa77478ceab6697b44d5c8a29e1fb9fc9a65d4 (diff) | |
| download | kernel-579e4ff693ec2255010b8bc4aaba3d5aa62b3bc3.tar.gz kernel-579e4ff693ec2255010b8bc4aaba3d5aa62b3bc3.tar.xz kernel-579e4ff693ec2255010b8bc4aaba3d5aa62b3bc3.zip | |
CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
| -rw-r--r-- | kernel.spec | 9 | ||||
| -rw-r--r-- | libertas-potential-oops-in-debugfs.patch | 50 |
2 files changed, 59 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index a22ecdc7b..17e478070 100644 --- a/kernel.spec +++ b/kernel.spec @@ -760,6 +760,9 @@ Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch +#CVE-2013-6378 rhbz 1033578 1034183 +Patch25155: libertas-potential-oops-in-debugfs.patch + # END OF PATCH DEFINITIONS %endif @@ -1488,6 +1491,9 @@ ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch +#CVE-2013-6378 rhbz 1033578 1034183 +ApplyPatch libertas-potential-oops-in-debugfs.patch + # END OF PATCH APPLICATIONS %endif @@ -2291,6 +2297,9 @@ fi # ||----w | # || || %changelog +* Mon Nov 25 2013 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183) + * Sat Nov 23 2013 Peter Robinson <pbrobinson@fedoraproject.org> - Fix ARM Utilite DTB - Enable FSL RTC (for i.MX6) diff --git a/libertas-potential-oops-in-debugfs.patch b/libertas-potential-oops-in-debugfs.patch new file mode 100644 index 000000000..02e72d8f9 --- /dev/null +++ b/libertas-potential-oops-in-debugfs.patch @@ -0,0 +1,50 @@ +Bugzilla: 1034183 +Upstream-status: 3.13 + +From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Wed, 30 Oct 2013 20:12:51 +0300 +Subject: [PATCH] libertas: potential oops in debugfs + +If we do a zero size allocation then it will oops. Also we can't be +sure the user passes us a NUL terminated string so I've added a +terminator. + +This code can only be triggered by root. + +Reported-by: Nico Golde <nico@ngolde.de> +Reported-by: Fabian Yamaguchi <fabs@goesec.de> +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Acked-by: Dan Williams <dcbw@redhat.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +--- + drivers/net/wireless/libertas/debugfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c +index 668dd27..cc6a0a5 100644 +--- a/drivers/net/wireless/libertas/debugfs.c ++++ b/drivers/net/wireless/libertas/debugfs.c +@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, + char *p2; + struct debug_data *d = f->private_data; + +- pdata = kmalloc(cnt, GFP_KERNEL); ++ if (cnt == 0) ++ return 0; ++ ++ pdata = kmalloc(cnt + 1, GFP_KERNEL); + if (pdata == NULL) + return 0; + +@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, + kfree(pdata); + return 0; + } ++ pdata[cnt] = '\0'; + + p0 = pdata; + for (i = 0; i < num_of_items; i++) { +-- +1.8.3.1 + |