[kernel] r20200 - in dists/wheezy/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at alioth.debian.org
Wed Jun 5 03:43:11 UTC 2013
Author: benh
Date: Wed Jun 5 03:43:11 2013
New Revision: 20200
Log:
iscsi-target: fix heap buffer overflow on error (CVE-2013-2850)
Added:
dists/wheezy/linux/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch
Modified:
dists/wheezy/linux/debian/changelog
dists/wheezy/linux/debian/patches/series
Modified: dists/wheezy/linux/debian/changelog
==============================================================================
--- dists/wheezy/linux/debian/changelog Wed Jun 5 03:35:23 2013 (r20199)
+++ dists/wheezy/linux/debian/changelog Wed Jun 5 03:43:11 2013 (r20200)
@@ -186,6 +186,7 @@
* bug script: Remove broken sound functions (Closes: #705619)
* [i386/486] udeb: Add lxfb to fb-modules (Closes: #705780)
* [i386] cpufreq / Longhaul: Disable driver by default (Closes: #707047)
+ * iscsi-target: fix heap buffer overflow on error (CVE-2013-2850)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 27 Mar 2013 14:10:40 +0000
Added: dists/wheezy/linux/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch Wed Jun 5 03:43:11 2013 (r20200)
@@ -0,0 +1,65 @@
+From: Kees Cook <keescook at chromium.org>
+Date: Thu, 23 May 2013 10:32:17 -0700
+Subject: iscsi-target: fix heap buffer overflow on error
+
+commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
+
+If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+error response packet, generated by iscsi_add_notunderstood_response(),
+would still attempt to copy the entire key into the packet, overflowing
+the structure on the heap.
+
+Remote preauthentication kernel memory corruption was possible if a
+target was configured and listening on the network.
+
+CVE-2013-2850
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index c2185fc..e382221 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
+ }
+ INIT_LIST_HEAD(&extra_response->er_list);
+
+- strncpy(extra_response->key, key, strlen(key) + 1);
+- strncpy(extra_response->value, NOTUNDERSTOOD,
+- strlen(NOTUNDERSTOOD) + 1);
++ strlcpy(extra_response->key, key, sizeof(extra_response->key));
++ strlcpy(extra_response->value, NOTUNDERSTOOD,
++ sizeof(extra_response->value));
+
+ list_add_tail(&extra_response->er_list,
+ ¶m_list->extra_response_list);
+@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
+
+ if (phase & PHASE_SECURITY) {
+ if (iscsi_check_for_auth_key(key) > 0) {
+- char *tmpptr = key + strlen(key);
+- *tmpptr = '=';
+ kfree(tmpbuf);
+ return 1;
+ }
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
+index 915b067..a47046a 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+- char key[64];
++ char key[KEY_MAXLEN];
+ char value[32];
+ struct list_head er_list;
+ } ____cacheline_aligned;
Modified: dists/wheezy/linux/debian/patches/series
==============================================================================
--- dists/wheezy/linux/debian/patches/series Wed Jun 5 03:35:23 2013 (r20199)
+++ dists/wheezy/linux/debian/patches/series Wed Jun 5 03:43:11 2013 (r20200)
@@ -632,3 +632,4 @@
bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
+bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch
More information about the Kernel-svn-changes
mailing list