Update to 3.10-rc4
svn path=/dists/trunk/linux/; revision=20177
This commit is contained in:
parent
41bc6e7895
commit
7aaf67ba18
|
@ -1,4 +1,4 @@
|
||||||
linux (3.10~rc3-1~experimental.1.dsc) UNRELEASED; urgency=low
|
linux (3.10~rc4-1~experimental.1.dsc) UNRELEASED; urgency=low
|
||||||
|
|
||||||
* New upstream release candidate
|
* New upstream release candidate
|
||||||
|
|
||||||
|
|
|
@ -1,62 +0,0 @@
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Thu, 23 May 2013 17:32:17 +0000
|
|
||||||
Subject: iscsi-target: fix heap buffer overflow on error
|
|
||||||
|
|
||||||
commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
|
|
||||||
|
|
||||||
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
|
|
||||||
error response packet, generated by iscsi_add_notunderstood_response(),
|
|
||||||
would still attempt to copy the entire key into the packet, overflowing
|
|
||||||
the structure on the heap.
|
|
||||||
|
|
||||||
Remote preauthentication kernel memory corruption was possible if a
|
|
||||||
target was configured and listening on the network.
|
|
||||||
|
|
||||||
CVE-2013-2850
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Cc: stable@vger.kernel.org
|
|
||||||
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
|
||||||
---
|
|
||||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
|
|
||||||
index c2185fc..e382221 100644
|
|
||||||
--- a/drivers/target/iscsi/iscsi_target_parameters.c
|
|
||||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
|
|
||||||
@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
|
|
||||||
}
|
|
||||||
INIT_LIST_HEAD(&extra_response->er_list);
|
|
||||||
|
|
||||||
- strncpy(extra_response->key, key, strlen(key) + 1);
|
|
||||||
- strncpy(extra_response->value, NOTUNDERSTOOD,
|
|
||||||
- strlen(NOTUNDERSTOOD) + 1);
|
|
||||||
+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
|
|
||||||
+ strlcpy(extra_response->value, NOTUNDERSTOOD,
|
|
||||||
+ sizeof(extra_response->value));
|
|
||||||
|
|
||||||
list_add_tail(&extra_response->er_list,
|
|
||||||
¶m_list->extra_response_list);
|
|
||||||
@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
|
|
||||||
|
|
||||||
if (phase & PHASE_SECURITY) {
|
|
||||||
if (iscsi_check_for_auth_key(key) > 0) {
|
|
||||||
- char *tmpptr = key + strlen(key);
|
|
||||||
- *tmpptr = '=';
|
|
||||||
kfree(tmpbuf);
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
|
|
||||||
index 915b067..a47046a 100644
|
|
||||||
--- a/drivers/target/iscsi/iscsi_target_parameters.h
|
|
||||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
|
|
||||||
@@ -1,8 +1,10 @@
|
|
||||||
#ifndef ISCSI_PARAMETERS_H
|
|
||||||
#define ISCSI_PARAMETERS_H
|
|
||||||
|
|
||||||
+#include <scsi/iscsi_proto.h>
|
|
||||||
+
|
|
||||||
struct iscsi_extra_response {
|
|
||||||
- char key[64];
|
|
||||||
+ char key[KEY_MAXLEN];
|
|
||||||
char value[32];
|
|
||||||
struct list_head er_list;
|
|
||||||
} ____cacheline_aligned;
|
|
|
@ -84,5 +84,3 @@ features/arm/ARM-dts-imx-use-usb-nop-xceiv-usbphy-entries-for-imx5x.patch
|
||||||
features/arm/ARM-dts-imx-imx53-qsb.dts-enable-usbotg-and-usbh1.patch
|
features/arm/ARM-dts-imx-imx53-qsb.dts-enable-usbotg-and-usbh1.patch
|
||||||
features/arm/usbmisc-imx-add-module_device_table.patch
|
features/arm/usbmisc-imx-add-module_device_table.patch
|
||||||
features/arm/imx53-qsb-usb-power.patch
|
features/arm/imx53-qsb-usb-power.patch
|
||||||
|
|
||||||
bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch
|
|
||||||
|
|
Loading…
Reference in New Issue