[kernel/f18] CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)

Mon Nov 25 13:24:14 UTC 2013

commit e76774d6396aae653788da5996830ad31227c344
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Mon Nov 25 08:21:51 2013 -0500

    CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)

 kernel.spec                              |    9 +++++
 libertas-potential-oops-in-debugfs.patch |   50 ++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 0 deletions(-)
---

diff --git a/kernel.spec b/kernel.spec
index df82c59..1ad2444 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -812,6 +812,9 @@ Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
 Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch
 Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
 
+#CVE-2013-6378 rhbz 1033578 1034183
+Patch25155: libertas-potential-oops-in-debugfs.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1561,6 +1564,9 @@ ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
 ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch
 ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
 
+#CVE-2013-6378 rhbz 1033578 1034183
+ApplyPatch libertas-potential-oops-in-debugfs.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2402,6 +2408,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon Nov 25 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
+
 * Fri Nov 22 2013 Josh Boyer <jwboyer at fedoraproject.org>
 - Add patches from Jeff Layton to fix 15sec NFS mount hang
 
diff --git a/libertas-potential-oops-in-debugfs.patch b/libertas-potential-oops-in-debugfs.patch
new file mode 100644
index 0000000..02e72d8
--- /dev/null
+++ b/libertas-potential-oops-in-debugfs.patch
@@ -0,0 +1,50 @@
+Bugzilla: 1034183
+Upstream-status: 3.13
+
+From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Wed, 30 Oct 2013 20:12:51 +0300
+Subject: [PATCH] libertas: potential oops in debugfs
+
+If we do a zero size allocation then it will oops.  Also we can't be
+sure the user passes us a NUL terminated string so I've added a
+terminator.
+
+This code can only be triggered by root.
+
+Reported-by: Nico Golde <nico at ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs at goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Acked-by: Dan Williams <dcbw at redhat.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+ drivers/net/wireless/libertas/debugfs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
+index 668dd27..cc6a0a5 100644
+--- a/drivers/net/wireless/libertas/debugfs.c
++++ b/drivers/net/wireless/libertas/debugfs.c
+@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ 	char *p2;
+ 	struct debug_data *d = f->private_data;
+ 
+-	pdata = kmalloc(cnt, GFP_KERNEL);
++	if (cnt == 0)
++		return 0;
++
++	pdata = kmalloc(cnt + 1, GFP_KERNEL);
+ 	if (pdata == NULL)
+ 		return 0;
+ 
+@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ 		kfree(pdata);
+ 		return 0;
+ 	}
++	pdata[cnt] = '\0';
+ 
+ 	p0 = pdata;
+ 	for (i = 0; i < num_of_items; i++) {
+-- 
+1.8.3.1
+
