[kernel/f17] CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
Josh Boyer
jwboyer at fedoraproject.org
Tue Jun 11 12:10:22 UTC 2013
commit b54718c5ecb750ed90f86eef6f0eabd12c40073c
Author: Josh Boyer <jwboyer at redhat.com>
Date: Tue Jun 11 08:06:36 2013 -0400
CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
cdrom-use-kzalloc-for-failing-hardware.patch | 45 ++++++++++++++++++++++++++
kernel.spec | 11 ++++++-
2 files changed, 55 insertions(+), 1 deletions(-)
---
diff --git a/cdrom-use-kzalloc-for-failing-hardware.patch b/cdrom-use-kzalloc-for-failing-hardware.patch
new file mode 100644
index 0000000..6afb6c4
--- /dev/null
+++ b/cdrom-use-kzalloc-for-failing-hardware.patch
@@ -0,0 +1,45 @@
+From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001
+From: Jonathan Salwan <jonathan.salwan at gmail.com>
+Date: Thu, 06 Jun 2013 00:39:39 +0000
+Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
+
+In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
+area with kmalloc in line 2885.
+
+2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+2886 if (cgc->buffer == NULL)
+2887 return -ENOMEM;
+
+In line 2908 we can find the copy_to_user function:
+
+2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
+
+The cgc->buffer is never cleaned and initialized before this function. If
+ret = 0 with the previous basic block, it's possible to display some
+memory bytes in kernel space from userspace.
+
+When we read a block from the disk it normally fills the ->buffer but if
+the drive is malfunctioning there is a chance that it would only be
+partially filled. The result is an leak information to userspace.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Cc: Jens Axboe <axboe at kernel.dk>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+---
+(limited to 'drivers/cdrom/cdrom.c')
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index d620b44..8a3aff7 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
+ if (lba < 0)
+ return -EINVAL;
+
+- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
+ if (cgc->buffer == NULL)
+ return -ENOMEM;
+
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index b3f28b0..7e9ebd5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 100
+%global baserelease 101
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -764,6 +764,9 @@ Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
# Fix for build failure on powerpc in 3.9.5
Patch25037: powerpc-3.9.5-fix.patch
+#CVE-2013-2164 rhbz 973100 973109
+Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1482,6 +1485,9 @@ ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
# Fix for build failure on powerpc in 3.9.5
ApplyPatch powerpc-3.9.5-fix.patch
+#CVE-2013-2164 rhbz 973100 973109
+ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2333,6 +2339,9 @@ fi
# '-' | |
# '-'
%changelog
+* Tue Jun 11 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109)
+
* Mon Jun 10 2013 Josh Boyer <jwboyer at redhat.com> - 3.9.5-100
- Linux v3.9.5
More information about the scm-commits
mailing list