[kernel] r20104 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Wed May 15 03:57:21 UTC 2013

Author: dannf
Date: Wed May 15 03:57:20 2013
New Revision: 20104

Log:
tg3: fix length overflow in VPD firmware parsing

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================

--- dists/wheezy-security/linux/debian/changelog	Wed May 15 03:10:33 2013	(r20103)
+++ dists/wheezy-security/linux/debian/changelog	Wed May 15 03:57:20 2013	(r20104)
@@ -20,6 +20,7 @@
   * rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
   * tipc: fix info leaks via msg_name in  recv_msg/recv_stream (CVE-2013-3235)
   * tracing: Fix possible NULL pointer dereferences (CVE-2013-3301)
+  * tg3: fix length overflow in VPD firmware parsing
   
   [ Ben Hutchings ]
   * [x86] KVM: Allow cross page reads and writes from cached translations.

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch	Wed May 15 03:57:20 2013	(r20104)
@@ -0,0 +1,49 @@
+From 2b79fa8fddde2d070ca28a2d94394c39bfd8d741 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Wed, 27 Mar 2013 06:40:50 +0000
+Subject: [PATCH] tg3: fix length overflow in VPD firmware parsing
+
+commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
+
+Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
+when present") introduced VPD parsing that contained a potential length
+overflow.
+
+Limit the hardware's reported firmware string length (max 255 bytes) to
+stay inside the driver's firmware string length (32 bytes). On overflow,
+truncate the formatted firmware string instead of potentially overwriting
+portions of the tg3 struct.
+
+http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Oded Horovitz <oded at privatecore.com>
+Reported-by: Brad Spengler <spender at grsecurity.net>
+Cc: Matt Carlson <mcarlson at broadcom.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/ethernet/broadcom/tg3.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index c86fa50..c6b9903 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -13433,8 +13433,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp)
+ 		if (j + len > block_end)
+ 			goto partno;
+ 
+-		memcpy(tp->fw_ver, &vpd_data[j], len);
+-		strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
++		if (len >= sizeof(tp->fw_ver))
++			len = sizeof(tp->fw_ver) - 1;
++		memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
++		snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
++			 &vpd_data[j]);
+ 	}
+ 
+ partno:
+-- 
+1.7.10.4
+

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Wed May 15 03:10:33 2013	(r20103)
+++ dists/wheezy-security/linux/debian/patches/series	Wed May 15 03:57:20 2013	(r20104)
@@ -659,3 +659,4 @@
 bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
 bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
 bugfix/all/net-fix-incorrect-credentials-passing.patch
+bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch

