[kernel] r19990 - in dists/squeeze-security/linux-2.6/debian: . patches/features/all/tg3 patches/series
Ben Hutchings
benh at alioth.debian.org
Sun Apr 28 21:06:16 UTC 2013
Author: benh
Date: Sun Apr 28 21:06:15 2013
New Revision: 19990
Log:
tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929)
Added:
dists/squeeze-security/linux-2.6/debian/patches/features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Sun Apr 28 20:51:47 2013 (r19989)
+++ dists/squeeze-security/linux-2.6/debian/changelog Sun Apr 28 21:06:15 2013 (r19990)
@@ -36,6 +36,7 @@
* intel-iommu: Flush unmaps at domain_exit
* fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
(CVE-2013-1928)
+ * tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929)
-- dann frazier <dannf at dannf.org> Mon, 11 Mar 2013 08:47:43 +0100
Added: dists/squeeze-security/linux-2.6/debian/patches/features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch Sun Apr 28 21:06:15 2013 (r19990)
@@ -0,0 +1,43 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Wed, 27 Mar 2013 06:40:50 +0000
+Subject: tg3: fix length overflow in VPD firmware parsing
+
+commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
+
+Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
+when present") introduced VPD parsing that contained a potential length
+overflow.
+
+Limit the hardware's reported firmware string length (max 255 bytes) to
+stay inside the driver's firmware string length (32 bytes). On overflow,
+truncate the formatted firmware string instead of potentially overwriting
+portions of the tg3 struct.
+
+http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Oded Horovitz <oded at privatecore.com>
+Reported-by: Brad Spengler <spender at grsecurity.net>
+Cc: Matt Carlson <mcarlson at broadcom.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to squeeze]
+---
+ drivers/net/tg3.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tg3.c
++++ b/drivers/net/tg3.c
+@@ -12568,8 +12568,11 @@ static void tg3_read_vpd(struct tg3 *tp)
+ if (j + len > block_end)
+ goto partno;
+
+- memcpy(tp->fw_ver, &vpd_data[j], len);
+- strncat(tp->fw_ver, " bc ", TG3_NVM_VPD_LEN - len - 1);
++ if (len >= sizeof(tp->fw_ver))
++ len = sizeof(tp->fw_ver) - 1;
++ memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
++ snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
++ &vpd_data[j]);
+ }
+
+ partno:
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Sun Apr 28 20:51:47 2013 (r19989)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Sun Apr 28 21:06:15 2013 (r19990)
@@ -35,3 +35,4 @@
+ bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
+ bugfix/all/intel-iommu-Flush-unmaps-at-domain_exit.patch
+ bugfix/all/fs-compat_ioctl.c-VIDEO_SET_SPU_PALETTE-missing-erro.patch
++ features/all/tg3/0209-tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
More information about the Kernel-svn-changes
mailing list