[kernel/f19] CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)

Josh Boyer jwboyer at fedoraproject.org
Fri Jun 7 12:24:07 UTC 2013 

commit 692bbe5871786574387bfb2982f2d51bb4c9e482
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Fri Jun 7 08:23:01 2013 -0400

    CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)

 ...-do-not-pass-disk-names-as-format-strings.patch |   64 ++++++++++++++++++++
 kernel.spec                                        |    7 ++
 2 files changed, 71 insertions(+), 0 deletions(-)
---
diff --git a/block-do-not-pass-disk-names-as-format-strings.patch b/block-do-not-pass-disk-names-as-format-strings.patch
new file mode 100644
index 0000000..496111d
--- /dev/null
+++ b/block-do-not-pass-disk-names-as-format-strings.patch
@@ -0,0 +1,64 @@
+Disk names may contain arbitrary strings, so they must not be interpreted
+as format strings. It seems that only md allows arbitrary strings to be
+used for disk names, but this could allow for a local memory corruption
+from uid 0 into ring 0.
+
+CVE-2013-2851
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org
+Cc: Jens Axboe <axboe at kernel.dk>
+---
+ block/genhd.c              |    2 +-
+ drivers/block/nbd.c        |    3 ++-
+ drivers/scsi/osd/osd_uld.c |    2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 20625ee..cdeb527 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
+ 
+ 	ddev->parent = disk->driverfs_dev;
+ 
+-	dev_set_name(ddev, disk->disk_name);
++	dev_set_name(ddev, "%s", disk->disk_name);
+ 
+ 	/* delay uevents, until we scanned partition table */
+ 	dev_set_uevent_suppress(ddev, 1);
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 037288e..46b35f7 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
+ 		else
+ 			blk_queue_flush(nbd->disk->queue, 0);
+ 
+-		thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
++		thread = kthread_create(nbd_thread, nbd, "%s",
++					nbd->disk->disk_name);
+ 		if (IS_ERR(thread)) {
+ 			mutex_lock(&nbd->tx_lock);
+ 			return PTR_ERR(thread);
+diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
+index 0fab6b5..9d86947 100644
+--- a/drivers/scsi/osd/osd_uld.c
++++ b/drivers/scsi/osd/osd_uld.c
+@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
+ 	oud->class_dev.class = &osd_uld_class;
+ 	oud->class_dev.parent = dev;
+ 	oud->class_dev.release = __remove;
+-	error = dev_set_name(&oud->class_dev, disk->disk_name);
++	error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
+ 	if (error) {
+ 		OSD_ERR("dev_set_name failed => %d\n", error);
+ 		goto err_put_cdev;
+-- 
+1.7.9.5
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at  http://www.tux.org/lkml/
\ No newline at end of file
diff --git a/kernel.spec b/kernel.spec
index ae26788..9dae94e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -789,6 +789,9 @@ Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
 #CVE-2013-2852 rhbz 969518 971665
 Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
 
+#CVE-2013-2851 rhbz 969515 971662
+Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1524,6 +1527,9 @@ ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
 #CVE-2013-2852 rhbz 969518 971665
 ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
 
+#CVE-2013-2851 rhbz 969515 971662
+ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2352,6 +2358,7 @@ fi
 
 %changelog
 * Fri Jun 07 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
 - CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
 
 * Thu Jun 06 2013 Josh Boyer <jwboyer at redhat.com>

More information about the scm-commits mailing list