[kernel/stabilization] CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
Josh Boyer
jwboyer at fedoraproject.org
Mon Nov 25 13:24:29 UTC 2013
commit 579e4ff693ec2255010b8bc4aaba3d5aa62b3bc3
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Nov 25 08:21:51 2013 -0500
CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
kernel.spec | 9 +++++
libertas-potential-oops-in-debugfs.patch | 50 ++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index a22ecdc..17e4780 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -760,6 +760,9 @@ Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch
Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
+#CVE-2013-6378 rhbz 1033578 1034183
+Patch25155: libertas-potential-oops-in-debugfs.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1488,6 +1491,9 @@ ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch
ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
+#CVE-2013-6378 rhbz 1033578 1034183
+ApplyPatch libertas-potential-oops-in-debugfs.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2291,6 +2297,9 @@ fi
# ||----w |
# || ||
%changelog
+* Mon Nov 25 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
+
* Sat Nov 23 2013 Peter Robinson <pbrobinson at fedoraproject.org>
- Fix ARM Utilite DTB
- Enable FSL RTC (for i.MX6)
diff --git a/libertas-potential-oops-in-debugfs.patch b/libertas-potential-oops-in-debugfs.patch
new file mode 100644
index 0000000..02e72d8
--- /dev/null
+++ b/libertas-potential-oops-in-debugfs.patch
@@ -0,0 +1,50 @@
+Bugzilla: 1034183
+Upstream-status: 3.13
+
+From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Wed, 30 Oct 2013 20:12:51 +0300
+Subject: [PATCH] libertas: potential oops in debugfs
+
+If we do a zero size allocation then it will oops. Also we can't be
+sure the user passes us a NUL terminated string so I've added a
+terminator.
+
+This code can only be triggered by root.
+
+Reported-by: Nico Golde <nico at ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs at goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Acked-by: Dan Williams <dcbw at redhat.com>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+ drivers/net/wireless/libertas/debugfs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
+index 668dd27..cc6a0a5 100644
+--- a/drivers/net/wireless/libertas/debugfs.c
++++ b/drivers/net/wireless/libertas/debugfs.c
+@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ char *p2;
+ struct debug_data *d = f->private_data;
+
+- pdata = kmalloc(cnt, GFP_KERNEL);
++ if (cnt == 0)
++ return 0;
++
++ pdata = kmalloc(cnt + 1, GFP_KERNEL);
+ if (pdata == NULL)
+ return 0;
+
+@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
+ kfree(pdata);
+ return 0;
+ }
++ pdata[cnt] = '\0';
+
+ p0 = pdata;
+ for (i = 0; i < num_of_items; i++) {
+--
+1.8.3.1
+
More information about the scm-commits
mailing list