[Acked] [Precise][CVE-2013-6378] libertas: potential oops in debugfs

[Andy Whitcroft]

On Fri, Nov 29, 2013 at 01:42:59PM +0000, Luis Henriques wrote:
> From: Dan Carpenter <dan.carpenter at oracle.com>
> 
> CVE-2013-6378
> 
> BugLink: http://bugs.launchpad.net/bugs/1256080
> 
> If we do a zero size allocation then it will oops.  Also we can't be
> sure the user passes us a NUL terminated string so I've added a
> terminator.
> 
> This code can only be triggered by root.
> 
> Reported-by: Nico Golde <nico at ngolde.de>
> Reported-by: Fabian Yamaguchi <fabs at goesec.de>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> Acked-by: Dan Williams <dcbw at redhat.com>
> Signed-off-by: John W. Linville <linville at tuxdriver.com>
> (cherry picked from commit a497e47d4aec37aaf8f13509f3ef3d1f6a717d88)
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  drivers/net/wireless/libertas/debugfs.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
> index d8d8f0d..35d86fa 100644
> --- a/drivers/net/wireless/libertas/debugfs.c
> +++ b/drivers/net/wireless/libertas/debugfs.c
> @@ -919,7 +919,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
>  	char *p2;
>  	struct debug_data *d = f->private_data;
>  
> -	pdata = kmalloc(cnt, GFP_KERNEL);
> +	if (cnt == 0)
> +		return 0;
> +
> +	pdata = kmalloc(cnt + 1, GFP_KERNEL);
>  	if (pdata == NULL)
>  		return 0;
>  
> @@ -928,6 +931,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
>  		kfree(pdata);
>  		return 0;
>  	}
> +	pdata[cnt] = '\0';
>  
>  	p0 = pdata;
>  	for (i = 0; i < num_of_items; i++) {

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw