[kernel] r20169 - in dists/sid/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at alioth.debian.org
Sat Jun 1 18:49:35 UTC 2013 

Author: benh
Date: Sat Jun  1 18:49:35 2013
New Revision: 20169

Log:
iscsi-target: fix heap buffer overflow on error (CVE-2013-2850)

Added:
   dists/sid/linux/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Sat Jun  1 18:33:47 2013	(r20168)
+++ dists/sid/linux/debian/changelog	Sat Jun  1 18:49:35 2013	(r20169)
@@ -64,6 +64,7 @@
   * [x86] vfio: Enable VFIO, VFIO_PCI as modules
   * [x86] hv: Enable HYPERV_BALLOON as module
   * security: Enable SECURITY_YAMA, SECURITY_YAMA_STACKED (Closes: #704750)
+  * iscsi-target: fix heap buffer overflow on error (CVE-2013-2850)
 
   [ Aurelien Jarno ]
   * [mips] Enable KEXEC.

Added: dists/sid/linux/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch	Sat Jun  1 18:49:35 2013	(r20169)
@@ -0,0 +1,62 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Thu, 23 May 2013 17:32:17 +0000
+Subject: iscsi-target: fix heap buffer overflow on error
+
+commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
+
+If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+error response packet, generated by iscsi_add_notunderstood_response(),
+would still attempt to copy the entire key into the packet, overflowing
+the structure on the heap.
+
+Remote preauthentication kernel memory corruption was possible if a
+target was configured and listening on the network.
+
+CVE-2013-2850
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: stable at vger.kernel.org
+Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
+---
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index c2185fc..e382221 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
+ 	}
+ 	INIT_LIST_HEAD(&extra_response->er_list);
+ 
+-	strncpy(extra_response->key, key, strlen(key) + 1);
+-	strncpy(extra_response->value, NOTUNDERSTOOD,
+-			strlen(NOTUNDERSTOOD) + 1);
++	strlcpy(extra_response->key, key, sizeof(extra_response->key));
++	strlcpy(extra_response->value, NOTUNDERSTOOD,
++		sizeof(extra_response->value));
+ 
+ 	list_add_tail(&extra_response->er_list,
+ 			&param_list->extra_response_list);
+@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
+ 
+ 		if (phase & PHASE_SECURITY) {
+ 			if (iscsi_check_for_auth_key(key) > 0) {
+-				char *tmpptr = key + strlen(key);
+-				*tmpptr = '=';
+ 				kfree(tmpbuf);
+ 				return 1;
+ 			}
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
+index 915b067..a47046a 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+ 
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+-	char key[64];
++	char key[KEY_MAXLEN];
+ 	char value[32];
+ 	struct list_head er_list;
+ } ____cacheline_aligned;

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Sat Jun  1 18:33:47 2013	(r20168)
+++ dists/sid/linux/debian/patches/series	Sat Jun  1 18:49:35 2013	(r20169)
@@ -103,3 +103,5 @@
 features/arm/imx53-qsb-usb-power.patch
 features/arm/0001-thermal-Add-driver-for-Armada-370-XP-SoC-thermal-man.patch
 features/arm/0001-ARM-mvebu-Add-thermal-support-to-Armada-XP-device-tr.patch 
+
+bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch

More information about the Kernel-svn-changes mailing list