Apply various security fixes
svn path=/dists/sid/linux/; revision=20285
This commit is contained in:
parent
01086c8f36
commit
87274a8083
|
@ -23,6 +23,9 @@ linux (3.9.7-1) UNRELEASED; urgency=low
|
||||||
* yama: Disable ptrace restrictions by default, and change boot message
|
* yama: Disable ptrace restrictions by default, and change boot message
|
||||||
to indicate this (Closes: #712740)
|
to indicate this (Closes: #712740)
|
||||||
* [x86] efi: Fix dummy variable buffer allocation
|
* [x86] efi: Fix dummy variable buffer allocation
|
||||||
|
* fanotify: info leak in copy_event_to_user() (CVE-2013-2148)
|
||||||
|
* drivers/cdrom/cdrom.c: use kzalloc() for failing hardware (CVE-2013-2164)
|
||||||
|
* block: do not pass disk names as format strings (CVE-2013-2851)
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 19 Jun 2013 04:30:59 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Wed, 19 Jun 2013 04:30:59 +0100
|
||||||
|
|
||||||
|
|
62
debian/patches/bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
vendored
Normal file
62
debian/patches/bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
vendored
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
From: Kees Cook <keescook@chromium.org>
|
||||||
|
Date: Wed, 19 Jun 2013 10:05:44 +1000
|
||||||
|
Subject: block: do not pass disk names as format strings
|
||||||
|
|
||||||
|
commit 00a10d269c161c4dc61e4d87d7941082c5b57488 upstream.
|
||||||
|
|
||||||
|
Disk names may contain arbitrary strings, so they must not be interpreted
|
||||||
|
as format strings. It seems that only md allows arbitrary strings to be
|
||||||
|
used for disk names, but this could allow for a local memory corruption
|
||||||
|
from uid 0 into ring 0.
|
||||||
|
|
||||||
|
CVE-2013-2851
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Cc: Jens Axboe <axboe@kernel.dk>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
---
|
||||||
|
block/genhd.c | 2 +-
|
||||||
|
drivers/block/nbd.c | 3 ++-
|
||||||
|
drivers/scsi/osd/osd_uld.c | 2 +-
|
||||||
|
3 files changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/block/genhd.c b/block/genhd.c
|
||||||
|
index e9094b3..dadf42b 100644
|
||||||
|
--- a/block/genhd.c
|
||||||
|
+++ b/block/genhd.c
|
||||||
|
@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
|
||||||
|
|
||||||
|
ddev->parent = disk->driverfs_dev;
|
||||||
|
|
||||||
|
- dev_set_name(ddev, disk->disk_name);
|
||||||
|
+ dev_set_name(ddev, "%s", disk->disk_name);
|
||||||
|
|
||||||
|
/* delay uevents, until we scanned partition table */
|
||||||
|
dev_set_uevent_suppress(ddev, 1);
|
||||||
|
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
|
||||||
|
index 037288e..46b35f7 100644
|
||||||
|
--- a/drivers/block/nbd.c
|
||||||
|
+++ b/drivers/block/nbd.c
|
||||||
|
@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
|
||||||
|
else
|
||||||
|
blk_queue_flush(nbd->disk->queue, 0);
|
||||||
|
|
||||||
|
- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
|
||||||
|
+ thread = kthread_create(nbd_thread, nbd, "%s",
|
||||||
|
+ nbd->disk->disk_name);
|
||||||
|
if (IS_ERR(thread)) {
|
||||||
|
mutex_lock(&nbd->tx_lock);
|
||||||
|
return PTR_ERR(thread);
|
||||||
|
diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
|
||||||
|
index 0fab6b5..9d86947 100644
|
||||||
|
--- a/drivers/scsi/osd/osd_uld.c
|
||||||
|
+++ b/drivers/scsi/osd/osd_uld.c
|
||||||
|
@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
|
||||||
|
oud->class_dev.class = &osd_uld_class;
|
||||||
|
oud->class_dev.parent = dev;
|
||||||
|
oud->class_dev.release = __remove;
|
||||||
|
- error = dev_set_name(&oud->class_dev, disk->disk_name);
|
||||||
|
+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
|
||||||
|
if (error) {
|
||||||
|
OSD_ERR("dev_set_name failed => %d\n", error);
|
||||||
|
goto err_put_cdev;
|
45
debian/patches/bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
vendored
Normal file
45
debian/patches/bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
vendored
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
From: Jonathan Salwan <jonathan.salwan@gmail.com>
|
||||||
|
Date: Wed, 19 Jun 2013 10:05:44 +1000
|
||||||
|
Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
|
||||||
|
|
||||||
|
commit 410b0fa7c0ffe191a0596430e1b414192a111fe0 upstream.
|
||||||
|
|
||||||
|
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
|
||||||
|
area with kmalloc in line 2885.
|
||||||
|
|
||||||
|
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||||
|
2886 if (cgc->buffer == NULL)
|
||||||
|
2887 return -ENOMEM;
|
||||||
|
|
||||||
|
In line 2908 we can find the copy_to_user function:
|
||||||
|
|
||||||
|
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
|
||||||
|
|
||||||
|
The cgc->buffer is never cleaned and initialized before this function. If
|
||||||
|
ret = 0 with the previous basic block, it's possible to display some
|
||||||
|
memory bytes in kernel space from userspace.
|
||||||
|
|
||||||
|
When we read a block from the disk it normally fills the ->buffer but if
|
||||||
|
the drive is malfunctioning there is a chance that it would only be
|
||||||
|
partially filled. The result is an leak information to userspace.
|
||||||
|
|
||||||
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Cc: Jens Axboe <axboe@kernel.dk>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
---
|
||||||
|
drivers/cdrom/cdrom.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
||||||
|
index d620b44..8a3aff7 100644
|
||||||
|
--- a/drivers/cdrom/cdrom.c
|
||||||
|
+++ b/drivers/cdrom/cdrom.c
|
||||||
|
@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
|
||||||
|
if (lba < 0)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
||||||
|
+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
|
||||||
|
if (cgc->buffer == NULL)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Date: Wed, 19 Jun 2013 10:05:29 +1000
|
||||||
|
Subject: fanotify: info leak in copy_event_to_user()
|
||||||
|
|
||||||
|
commit d2e5df23489623877fa0a587570c44fe08be2f8f upstream.
|
||||||
|
|
||||||
|
The ->reserverd field isn't cleared so we leak one byte of stack
|
||||||
|
information to userspace.
|
||||||
|
|
||||||
|
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||||
|
Cc: Eric Paris <eparis@redhat.com>
|
||||||
|
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
---
|
||||||
|
fs/notify/fanotify/fanotify_user.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
--- a/fs/notify/fanotify/fanotify_user.c
|
||||||
|
+++ b/fs/notify/fanotify/fanotify_user.c
|
||||||
|
@@ -121,6 +121,7 @@ static int fill_event_metadata(struct fs
|
||||||
|
metadata->event_len = FAN_EVENT_METADATA_LEN;
|
||||||
|
metadata->metadata_len = FAN_EVENT_METADATA_LEN;
|
||||||
|
metadata->vers = FANOTIFY_METADATA_VERSION;
|
||||||
|
+ metadata->reserved = 0;
|
||||||
|
metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
|
||||||
|
metadata->pid = pid_vnr(event->tgid);
|
||||||
|
if (unlikely(event->mask & FAN_Q_OVERFLOW))
|
|
@ -108,3 +108,6 @@ bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
|
||||||
debian/powerpc-machdep-avoid-abi-change-in-3.9.6.patch
|
debian/powerpc-machdep-avoid-abi-change-in-3.9.6.patch
|
||||||
debian/yama-disable-by-default.patch
|
debian/yama-disable-by-default.patch
|
||||||
bugfix/x86/x86-efi-Fix-dummy-variable-buffer-allocation.patch
|
bugfix/x86/x86-efi-Fix-dummy-variable-buffer-allocation.patch
|
||||||
|
bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
|
||||||
|
bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
|
||||||
|
bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
|
||||||
|
|
Loading…
Reference in New Issue