[kernel] CVE-2013-2850 iscsi-target: heap buffer overflow on large key error (rhbz 968036 969272)
Josh Boyer
jwboyer at fedoraproject.org
Fri May 31 11:39:02 UTC 2013
commit 74e1b9e160732e4fddf614422ee038f1896214b7
Author: Josh Boyer <jwboyer at redhat.com>
Date: Fri May 31 07:33:17 2013 -0400
CVE-2013-2850 iscsi-target: heap buffer overflow on large key error (rhbz 968036 969272)
...-target-fix-heap-buffer-overflow-on-error.patch | 63 ++++++++++++++++++++
kernel.spec | 9 +++
2 files changed, 72 insertions(+), 0 deletions(-)
---
diff --git a/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/iscsi-target-fix-heap-buffer-overflow-on-error.patch
new file mode 100644
index 0000000..7b36812
--- /dev/null
+++ b/iscsi-target-fix-heap-buffer-overflow-on-error.patch
@@ -0,0 +1,63 @@
+From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Thu, 23 May 2013 17:32:17 +0000
+Subject: iscsi-target: fix heap buffer overflow on error
+
+If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+error response packet, generated by iscsi_add_notunderstood_response(),
+would still attempt to copy the entire key into the packet, overflowing
+the structure on the heap.
+
+Remote preauthentication kernel memory corruption was possible if a
+target was configured and listening on the network.
+
+CVE-2013-2850
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org
+Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
+---
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index c2185fc..e382221 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
+ }
+ INIT_LIST_HEAD(&extra_response->er_list);
+
+- strncpy(extra_response->key, key, strlen(key) + 1);
+- strncpy(extra_response->value, NOTUNDERSTOOD,
+- strlen(NOTUNDERSTOOD) + 1);
++ strlcpy(extra_response->key, key, sizeof(extra_response->key));
++ strlcpy(extra_response->value, NOTUNDERSTOOD,
++ sizeof(extra_response->value));
+
+ list_add_tail(&extra_response->er_list,
+ ¶m_list->extra_response_list);
+@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
+
+ if (phase & PHASE_SECURITY) {
+ if (iscsi_check_for_auth_key(key) > 0) {
+- char *tmpptr = key + strlen(key);
+- *tmpptr = '=';
+ kfree(tmpbuf);
+ return 1;
+ }
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
+index 915b067..a47046a 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+- char key[64];
++ char key[KEY_MAXLEN];
+ char value[32];
+ struct list_head er_list;
+ } ____cacheline_aligned;
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index 8b706f8..5bd8190 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -739,6 +739,9 @@ Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
#rhbz 948262
Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
+#CVE-2013-2850 rhbz 968036 969272
+Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1423,6 +1426,9 @@ ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch
#rhbz 948262
ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
+#CVE-2013-2850 rhbz 968036 969272
+ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2228,6 +2234,9 @@ fi
# ||----w |
# || ||
%changelog
+* Fri May 31 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-2850 iscsi-target: heap buffer overflow on large key error (rhbz 968036 969272)
+
* Thu May 30 2013 Peter Robinson <pbrobinson at fedoraproject.org>
- Minor ARM config update for tegra (AC100)
More information about the scm-commits
mailing list