[kernel] r20104 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Dann Frazier
dannf at alioth.debian.org
Wed May 15 03:57:21 UTC 2013
Author: dannf
Date: Wed May 15 03:57:20 2013
New Revision: 20104
Log:
tg3: fix length overflow in VPD firmware parsing
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Wed May 15 03:10:33 2013 (r20103)
+++ dists/wheezy-security/linux/debian/changelog Wed May 15 03:57:20 2013 (r20104)
@@ -20,6 +20,7 @@
* rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
* tipc: fix info leaks via msg_name in recv_msg/recv_stream (CVE-2013-3235)
* tracing: Fix possible NULL pointer dereferences (CVE-2013-3301)
+ * tg3: fix length overflow in VPD firmware parsing
[ Ben Hutchings ]
* [x86] KVM: Allow cross page reads and writes from cached translations.
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch Wed May 15 03:57:20 2013 (r20104)
@@ -0,0 +1,49 @@
+From 2b79fa8fddde2d070ca28a2d94394c39bfd8d741 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Wed, 27 Mar 2013 06:40:50 +0000
+Subject: [PATCH] tg3: fix length overflow in VPD firmware parsing
+
+commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
+
+Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
+when present") introduced VPD parsing that contained a potential length
+overflow.
+
+Limit the hardware's reported firmware string length (max 255 bytes) to
+stay inside the driver's firmware string length (32 bytes). On overflow,
+truncate the formatted firmware string instead of potentially overwriting
+portions of the tg3 struct.
+
+http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Oded Horovitz <oded at privatecore.com>
+Reported-by: Brad Spengler <spender at grsecurity.net>
+Cc: Matt Carlson <mcarlson at broadcom.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index c86fa50..c6b9903 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -13433,8 +13433,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp)
+ if (j + len > block_end)
+ goto partno;
+
+- memcpy(tp->fw_ver, &vpd_data[j], len);
+- strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
++ if (len >= sizeof(tp->fw_ver))
++ len = sizeof(tp->fw_ver) - 1;
++ memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
++ snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
++ &vpd_data[j]);
+ }
+
+ partno:
+--
+1.7.10.4
+
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Wed May 15 03:10:33 2013 (r20103)
+++ dists/wheezy-security/linux/debian/patches/series Wed May 15 03:57:20 2013 (r20104)
@@ -659,3 +659,4 @@
bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
bugfix/all/net-fix-incorrect-credentials-passing.patch
+bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
More information about the Kernel-svn-changes
mailing list