[kernel] r19990 - in dists/squeeze-security/linux-2.6/debian: . patches/features/all/tg3 patches/series

Ben Hutchings benh at alioth.debian.org
Sun Apr 28 21:06:16 UTC 2013


Author: benh
Date: Sun Apr 28 21:06:15 2013
New Revision: 19990

Log:
tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 28 20:51:47 2013	(r19989)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Apr 28 21:06:15 2013	(r19990)
@@ -36,6 +36,7 @@
   * intel-iommu: Flush unmaps at domain_exit
   * fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
     (CVE-2013-1928)
+  * tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929)
 
  -- dann frazier <dannf at dannf.org>  Mon, 11 Mar 2013 08:47:43 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch	Sun Apr 28 21:06:15 2013	(r19990)
@@ -0,0 +1,43 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Wed, 27 Mar 2013 06:40:50 +0000
+Subject: tg3: fix length overflow in VPD firmware parsing
+
+commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
+
+Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
+when present") introduced VPD parsing that contained a potential length
+overflow.
+
+Limit the hardware's reported firmware string length (max 255 bytes) to
+stay inside the driver's firmware string length (32 bytes). On overflow,
+truncate the formatted firmware string instead of potentially overwriting
+portions of the tg3 struct.
+
+http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Oded Horovitz <oded at privatecore.com>
+Reported-by: Brad Spengler <spender at grsecurity.net>
+Cc: Matt Carlson <mcarlson at broadcom.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to squeeze]
+---
+ drivers/net/tg3.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tg3.c
++++ b/drivers/net/tg3.c
+@@ -12568,8 +12568,11 @@ static void tg3_read_vpd(struct tg3 *tp)
+ 		if (j + len > block_end)
+ 			goto partno;
+ 
+-		memcpy(tp->fw_ver, &vpd_data[j], len);
+-		strncat(tp->fw_ver, " bc ", TG3_NVM_VPD_LEN - len - 1);
++		if (len >= sizeof(tp->fw_ver))
++			len = sizeof(tp->fw_ver) - 1;
++		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
++		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
++			 &vpd_data[j]);
+ 	}
+ 
+ partno:

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Sun Apr 28 20:51:47 2013	(r19989)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2	Sun Apr 28 21:06:15 2013	(r19990)
@@ -35,3 +35,4 @@
 + bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
 + bugfix/all/intel-iommu-Flush-unmaps-at-domain_exit.patch
 + bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch
++ features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch



More information about the Kernel-svn-changes mailing list