diff options
Diffstat (limited to 'b43-stop-format-string-leaking-into-error-msgs.patch')
-rw-r--r-- | b43-stop-format-string-leaking-into-error-msgs.patch | 32 |
1 files changed, 0 insertions, 32 deletions
diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch deleted file mode 100644 index 84249e5eb..000000000 --- a/b43-stop-format-string-leaking-into-error-msgs.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001 -From: Kees Cook <keescook@chromium.org> -Date: Fri, 10 May 2013 21:48:21 +0000 -Subject: b43: stop format string leaking into error msgs - -The module parameter "fwpostfix" is userspace controllable, unfiltered, -and is used to define the firmware filename. b43_do_request_fw() populates -ctx->errors[] on error, containing the firmware filename. b43err() -parses its arguments as a format string. For systems with b43 hardware, -this could lead to a uid-0 to ring-0 escalation. - -CVE-2013-2852 - -Signed-off-by: Kees Cook <keescook@chromium.org> -Cc: stable@vger.kernel.org -Signed-off-by: John W. Linville <linville@tuxdriver.com> ---- -diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c -index 6dd07e2..a95b77a 100644 ---- a/drivers/net/wireless/b43/main.c -+++ b/drivers/net/wireless/b43/main.c -@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work) - for (i = 0; i < B43_NR_FWTYPES; i++) { - errmsg = ctx->errors[i]; - if (strlen(errmsg)) -- b43err(dev->wl, errmsg); -+ b43err(dev->wl, "%s", errmsg); - } - b43_print_fw_helptext(dev->wl, 1); - goto out; --- -cgit v0.9.2 |