diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2013-06-11 08:06:36 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2013-06-11 08:09:57 -0400 |
| commit | b9ce3498af1d48bc579902f117c6b03432b111cb (patch) | |
| tree | 442ee8f9a5346e5485c5cb128f9f1eae856692d1 | |
| parent | 82b54fdc466eeb7397971032765e0b3e2c186e64 (diff) | |
| download | kernel-b9ce3498af1d48bc579902f117c6b03432b111cb.tar.gz kernel-b9ce3498af1d48bc579902f117c6b03432b111cb.tar.xz kernel-b9ce3498af1d48bc579902f117c6b03432b111cb.zip | |
CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
| -rw-r--r-- | cdrom-use-kzalloc-for-failing-hardware.patch | 45 | ||||
| -rw-r--r-- | kernel.spec | 11 |
2 files changed, 55 insertions, 1 deletions
diff --git a/cdrom-use-kzalloc-for-failing-hardware.patch b/cdrom-use-kzalloc-for-failing-hardware.patch new file mode 100644 index 000000000..6afb6c4d8 --- /dev/null +++ b/cdrom-use-kzalloc-for-failing-hardware.patch @@ -0,0 +1,45 @@ +From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001 +From: Jonathan Salwan <jonathan.salwan@gmail.com> +Date: Thu, 06 Jun 2013 00:39:39 +0000 +Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware + +In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory +area with kmalloc in line 2885. + +2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); +2886 if (cgc->buffer == NULL) +2887 return -ENOMEM; + +In line 2908 we can find the copy_to_user function: + +2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) + +The cgc->buffer is never cleaned and initialized before this function. If +ret = 0 with the previous basic block, it's possible to display some +memory bytes in kernel space from userspace. + +When we read a block from the disk it normally fills the ->buffer but if +the drive is malfunctioning there is a chance that it would only be +partially filled. The result is an leak information to userspace. + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- +(limited to 'drivers/cdrom/cdrom.c') + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index d620b44..8a3aff7 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 26015c5b4..06ac9b3b0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -757,6 +757,9 @@ Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch #CVE-2013-2851 rhbz 969515 971662 Patch25035: block-do-not-pass-disk-names-as-format-strings.patch +#CVE-2013-2164 rhbz 973100 973109 +Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch + # END OF PATCH DEFINITIONS %endif @@ -1457,6 +1460,9 @@ ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch #CVE-2013-2851 rhbz 969515 971662 ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch +#CVE-2013-2164 rhbz 973100 973109 +ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch + # END OF PATCH APPLICATIONS %endif @@ -2262,6 +2268,9 @@ fi # ||----w | # || || %changelog +* Tue Jun 11 2013 Josh Boyer <jwboyer@redhat.com> +- CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109) + * Mon Jun 10 2013 Peter Robinson <pbrobinson@fedoraproject.org> - Enable Freescale i.MX platforms and initial config |