Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHannes Reinecke <hare@suse.de>2013-05-24 11:05:40 +0200
committerHannes Reinecke <hare@suse.de>2013-05-24 11:05:40 +0200
commit590b33ac151b27aa44b943eda8b398f79bacf205 (patch)
tree1f2ef70cfd03f317f93f62f0d885fda28f10ed57
parent5e244d71e04c1b45a88aca2e76a3bd9a493289ac (diff)
- patches.fixes/iscsi-target-fix-heap-buffer-overflow-on-error.patch:rpm-3.0.74-0.6.10
iscsi-target: fix heap buffer overflow on error (CVE-2013-2850, bnc#821560).
-rw-r--r--kernel-source.changes7
-rw-r--r--patches.fixes/iscsi-target-fix-heap-buffer-overflow-on-error.patch68
-rw-r--r--series.conf1
3 files changed, 76 insertions, 0 deletions
diff --git a/kernel-source.changes b/kernel-source.changes
index e5e228c154..e3850b7cd9 100644
--- a/kernel-source.changes
+++ b/kernel-source.changes
@@ -1,4 +1,11 @@
-------------------------------------------------------------------
+Fri May 24 11:05:34 CEST 2013 - hare@suse.de
+
+- patches.fixes/iscsi-target-fix-heap-buffer-overflow-on-error.patch:
+ iscsi-target: fix heap buffer overflow on error (CVE-2013-2850,
+ bnc#821560).
+
+-------------------------------------------------------------------
Wed May 15 09:26:29 CEST 2013 - jkosina@suse.cz
- patches.fixes/perf-treat-attr.config-as-u64-in-perf_swevent_init.patch:
diff --git a/patches.fixes/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/patches.fixes/iscsi-target-fix-heap-buffer-overflow-on-error.patch
new file mode 100644
index 0000000000..bc3346eceb
--- /dev/null
+++ b/patches.fixes/iscsi-target-fix-heap-buffer-overflow-on-error.patch
@@ -0,0 +1,68 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 22 May 2013 15:30:15 -0700
+Subject: [PATCH] iscsi-target: fix heap buffer overflow on error
+References: CVE-2013-2850, bnc#821560
+Patch-Mainline: embargoed
+
+If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
+error response packet, generated by iscsi_add_notunderstood_response(),
+would still attempt to copy the entire key into the packet, overflowing
+the structure on the heap.
+
+Remote preauthentication kernel memory corruption was possible if a
+target was configured and listening on the network.
+
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Acked-by: Hannes Reinecke <hare@suse.de>
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
+ drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index c2185fc..e382221 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
+ }
+ INIT_LIST_HEAD(&extra_response->er_list);
+
+- strncpy(extra_response->key, key, strlen(key) + 1);
+- strncpy(extra_response->value, NOTUNDERSTOOD,
+- strlen(NOTUNDERSTOOD) + 1);
++ strlcpy(extra_response->key, key, sizeof(extra_response->key));
++ strlcpy(extra_response->value, NOTUNDERSTOOD,
++ sizeof(extra_response->value));
+
+ list_add_tail(&extra_response->er_list,
+ &param_list->extra_response_list);
+@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
+
+ if (phase & PHASE_SECURITY) {
+ if (iscsi_check_for_auth_key(key) > 0) {
+- char *tmpptr = key + strlen(key);
+- *tmpptr = '=';
+ kfree(tmpbuf);
+ return 1;
+ }
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
+index 915b067..a47046a 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.h
++++ b/drivers/target/iscsi/iscsi_target_parameters.h
+@@ -1,8 +1,10 @@
+ #ifndef ISCSI_PARAMETERS_H
+ #define ISCSI_PARAMETERS_H
+
++#include <scsi/iscsi_proto.h>
++
+ struct iscsi_extra_response {
+- char key[64];
++ char key[KEY_MAXLEN];
+ char value[32];
+ struct list_head er_list;
+ } ____cacheline_aligned;
+--
+1.7.9.5
+
diff --git a/series.conf b/series.conf
index 656eedb0d2..0d1af21128 100644
--- a/series.conf
+++ b/series.conf
@@ -3122,6 +3122,7 @@
patches.drivers/target-0075-target-Skip-non-hex-characters-for-VPD-0x83-NAA-IEE.patch
patches.drivers/target-0076-iscsi-target-Disable-markers-remove-dangerous-loc.patch
patches.drivers/target-0077-iscsi-target-Fix-sendpage-breakage-with-proper-padd.patch
+ patches.fixes/iscsi-target-fix-heap-buffer-overflow-on-error.patch
########################################################
# iSCSI