From 7aaf67ba18183a4b9f444a82fc8f61cbb382362c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 2 Jun 2013 18:34:53 +0000 Subject: [PATCH] Update to 3.10-rc4 svn path=/dists/trunk/linux/; revision=20177 --- debian/changelog | 2 +- ...et-fix-heap-buffer-overflow-on-error.patch | 62 ------------------- debian/patches/series | 2 - 3 files changed, 1 insertion(+), 65 deletions(-) delete mode 100644 debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch diff --git a/debian/changelog b/debian/changelog index e971db79d..180f9d368 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.10~rc3-1~experimental.1.dsc) UNRELEASED; urgency=low +linux (3.10~rc4-1~experimental.1.dsc) UNRELEASED; urgency=low * New upstream release candidate diff --git a/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch deleted file mode 100644 index 8df64f3b7..000000000 --- a/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Kees Cook -Date: Thu, 23 May 2013 17:32:17 +0000 -Subject: iscsi-target: fix heap buffer overflow on error - -commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream. - -If a key was larger than 64 bytes, as checked by iscsi_check_key(), the -error response packet, generated by iscsi_add_notunderstood_response(), -would still attempt to copy the entire key into the packet, overflowing -the structure on the heap. - -Remote preauthentication kernel memory corruption was possible if a -target was configured and listening on the network. - -CVE-2013-2850 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Nicholas Bellinger ---- -diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c -index c2185fc..e382221 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.c -+++ b/drivers/target/iscsi/iscsi_target_parameters.c -@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( - } - INIT_LIST_HEAD(&extra_response->er_list); - -- strncpy(extra_response->key, key, strlen(key) + 1); -- strncpy(extra_response->value, NOTUNDERSTOOD, -- strlen(NOTUNDERSTOOD) + 1); -+ strlcpy(extra_response->key, key, sizeof(extra_response->key)); -+ strlcpy(extra_response->value, NOTUNDERSTOOD, -+ sizeof(extra_response->value)); - - list_add_tail(&extra_response->er_list, - ¶m_list->extra_response_list); -@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( - - if (phase & PHASE_SECURITY) { - if (iscsi_check_for_auth_key(key) > 0) { -- char *tmpptr = key + strlen(key); -- *tmpptr = '='; - kfree(tmpbuf); - return 1; - } -diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h -index 915b067..a47046a 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.h -+++ b/drivers/target/iscsi/iscsi_target_parameters.h -@@ -1,8 +1,10 @@ - #ifndef ISCSI_PARAMETERS_H - #define ISCSI_PARAMETERS_H - -+#include -+ - struct iscsi_extra_response { -- char key[64]; -+ char key[KEY_MAXLEN]; - char value[32]; - struct list_head er_list; - } ____cacheline_aligned; diff --git a/debian/patches/series b/debian/patches/series index 81b8ceb11..e46f21524 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -84,5 +84,3 @@ features/arm/ARM-dts-imx-use-usb-nop-xceiv-usbphy-entries-for-imx5x.patch features/arm/ARM-dts-imx-imx53-qsb.dts-enable-usbotg-and-usbh1.patch features/arm/usbmisc-imx-add-module_device_table.patch features/arm/imx53-qsb-usb-power.patch - -bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch