[kernel] CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)

Josh Boyer jwboyer at fedoraproject.org
Fri Jun 7 12:18:57 UTC 2013 

commit be3c5103be31fc8ee6fe89808bcca127dade2fb9
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Fri Jun 7 08:15:42 2013 -0400

    CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)

 ...top-format-string-leaking-into-error-msgs.patch |   32 ++++++++++++++++++++
 kernel.spec                                        |    9 +++++
 2 files changed, 41 insertions(+), 0 deletions(-)
---
diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch
new file mode 100644
index 0000000..84249e5
--- /dev/null
+++ b/b43-stop-format-string-leaking-into-error-msgs.patch
@@ -0,0 +1,32 @@
+From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Fri, 10 May 2013 21:48:21 +0000
+Subject: b43: stop format string leaking into error msgs
+
+The module parameter "fwpostfix" is userspace controllable, unfiltered,
+and is used to define the firmware filename. b43_do_request_fw() populates
+ctx->errors[] on error, containing the firmware filename. b43err()
+parses its arguments as a format string. For systems with b43 hardware,
+this could lead to a uid-0 to ring-0 escalation.
+
+CVE-2013-2852
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
+index 6dd07e2..a95b77a 100644
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work)
+ 	for (i = 0; i < B43_NR_FWTYPES; i++) {
+ 		errmsg = ctx->errors[i];
+ 		if (strlen(errmsg))
+-			b43err(dev->wl, errmsg);
++			b43err(dev->wl, "%s", errmsg);
+ 	}
+ 	b43_print_fw_helptext(dev->wl, 1);
+ 	goto out;
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index 6e0d719..9db2ea6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -751,6 +751,9 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
 #CVE-2013-2148 rhbz 971258 971261
 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
 
+#CVE-2013-2852 rhbz 969518 971665
+Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1445,6 +1448,9 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
 #CVE-2013-2148 rhbz 971258 971261
 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
 
+#CVE-2013-2852 rhbz 969518 971665
+ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2250,6 +2256,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Fri Jun 07 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
+
 * Thu Jun 06 2013 Josh Boyer <jwboyer at redhat.com>
 - CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261)
 - CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249)

More information about the scm-commits mailing list