diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2013-06-07 08:23:01 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2013-06-07 08:23:33 -0400 |
| commit | 4d67b5bc522925ae66f4fd783e391baa5ed73d61 (patch) | |
| tree | 2bff647ade5e68b5a26ae9208a6eb582c543c09f /block-do-not-pass-disk-names-as-format-strings.patch | |
| parent | be3c5103be31fc8ee6fe89808bcca127dade2fb9 (diff) | |
| download | kernel-4d67b5bc522925ae66f4fd783e391baa5ed73d61.tar.gz kernel-4d67b5bc522925ae66f4fd783e391baa5ed73d61.tar.xz kernel-4d67b5bc522925ae66f4fd783e391baa5ed73d61.zip | |
CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
Diffstat (limited to 'block-do-not-pass-disk-names-as-format-strings.patch')
| -rw-r--r-- | block-do-not-pass-disk-names-as-format-strings.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/block-do-not-pass-disk-names-as-format-strings.patch b/block-do-not-pass-disk-names-as-format-strings.patch new file mode 100644 index 000000000..496111dcd --- /dev/null +++ b/block-do-not-pass-disk-names-as-format-strings.patch @@ -0,0 +1,64 @@ +Disk names may contain arbitrary strings, so they must not be interpreted +as format strings. It seems that only md allows arbitrary strings to be +used for disk names, but this could allow for a local memory corruption +from uid 0 into ring 0. + +CVE-2013-2851 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@vger.kernel.org +Cc: Jens Axboe <axboe@kernel.dk> +--- + block/genhd.c | 2 +- + drivers/block/nbd.c | 3 ++- + drivers/scsi/osd/osd_uld.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/block/genhd.c b/block/genhd.c +index 20625ee..cdeb527 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 037288e..46b35f7 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, + else + blk_queue_flush(nbd->disk->queue, 0); + +- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); ++ thread = kthread_create(nbd_thread, nbd, "%s", ++ nbd->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&nbd->tx_lock); + return PTR_ERR(thread); +diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c +index 0fab6b5..9d86947 100644 +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; +-- +1.7.9.5 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/
\ No newline at end of file |