[kernel/f19] CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
Josh Boyer
jwboyer at fedoraproject.org
Fri Jun 7 12:24:07 UTC 2013
commit 692bbe5871786574387bfb2982f2d51bb4c9e482
Author: Josh Boyer <jwboyer at redhat.com>
Date: Fri Jun 7 08:23:01 2013 -0400
CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
...-do-not-pass-disk-names-as-format-strings.patch | 64 ++++++++++++++++++++
kernel.spec | 7 ++
2 files changed, 71 insertions(+), 0 deletions(-)
---
diff --git a/block-do-not-pass-disk-names-as-format-strings.patch b/block-do-not-pass-disk-names-as-format-strings.patch
new file mode 100644
index 0000000..496111d
--- /dev/null
+++ b/block-do-not-pass-disk-names-as-format-strings.patch
@@ -0,0 +1,64 @@
+Disk names may contain arbitrary strings, so they must not be interpreted
+as format strings. It seems that only md allows arbitrary strings to be
+used for disk names, but this could allow for a local memory corruption
+from uid 0 into ring 0.
+
+CVE-2013-2851
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org
+Cc: Jens Axboe <axboe at kernel.dk>
+---
+ block/genhd.c | 2 +-
+ drivers/block/nbd.c | 3 ++-
+ drivers/scsi/osd/osd_uld.c | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 20625ee..cdeb527 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
+
+ ddev->parent = disk->driverfs_dev;
+
+- dev_set_name(ddev, disk->disk_name);
++ dev_set_name(ddev, "%s", disk->disk_name);
+
+ /* delay uevents, until we scanned partition table */
+ dev_set_uevent_suppress(ddev, 1);
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 037288e..46b35f7 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
+ else
+ blk_queue_flush(nbd->disk->queue, 0);
+
+- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
++ thread = kthread_create(nbd_thread, nbd, "%s",
++ nbd->disk->disk_name);
+ if (IS_ERR(thread)) {
+ mutex_lock(&nbd->tx_lock);
+ return PTR_ERR(thread);
+diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
+index 0fab6b5..9d86947 100644
+--- a/drivers/scsi/osd/osd_uld.c
++++ b/drivers/scsi/osd/osd_uld.c
+@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
+ oud->class_dev.class = &osd_uld_class;
+ oud->class_dev.parent = dev;
+ oud->class_dev.release = __remove;
+- error = dev_set_name(&oud->class_dev, disk->disk_name);
++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
+ if (error) {
+ OSD_ERR("dev_set_name failed => %d\n", error);
+ goto err_put_cdev;
+--
+1.7.9.5
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at http://vger.kernel.org/majordomo-info.html
+Please read the FAQ at http://www.tux.org/lkml/
\ No newline at end of file
diff --git a/kernel.spec b/kernel.spec
index ae26788..9dae94e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -789,6 +789,9 @@ Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
#CVE-2013-2852 rhbz 969518 971665
Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch
+#CVE-2013-2851 rhbz 969515 971662
+Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1524,6 +1527,9 @@ ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
#CVE-2013-2852 rhbz 969518 971665
ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch
+#CVE-2013-2851 rhbz 969515 971662
+ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2352,6 +2358,7 @@ fi
%changelog
* Fri Jun 07 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662)
- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665)
* Thu Jun 06 2013 Josh Boyer <jwboyer at redhat.com>
More information about the scm-commits
mailing list