[ 3.8.y.z extended stable ] Patch "libceph: Fix NULL pointer dereference in auth client code" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Tue Jul 16 22:54:00 UTC 2013 

This is a note to let you know that I have just added a patch titled

    libceph: Fix NULL pointer dereference in auth client code

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.5.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From c5d817efe9cbc3f59d5409715d57b6cb1743ee8e Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks at canonical.com>
Date: Thu, 20 Jun 2013 13:13:59 -0700
Subject: libceph: Fix NULL pointer dereference in auth client code

commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream.

A malicious monitor can craft an auth reply message that could cause a
NULL function pointer dereference in the client's kernel.

To prevent this, the auth_none protocol handler needs an empty
ceph_auth_client_ops->build_request() function.

CVE-2013-1059

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Reported-by: Chanam Park <chanam.park at hkpco.kr>
Reviewed-by: Seth Arnold <seth.arnold at canonical.com>
Reviewed-by: Sage Weil <sage at inktank.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 net/ceph/auth_none.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c
index 925ca58..8c93fa8 100644
--- a/net/ceph/auth_none.c
+++ b/net/ceph/auth_none.c
@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac)
 	return xi->starting;
 }

+static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
+{
+	return 0;
+}
+
 /*
  * the generic auth code decode the global_id, and we carry no actual
  * authenticate state, so nothing happens here.
@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = {
 	.destroy = destroy,
 	.is_authenticated = is_authenticated,
 	.should_authenticate = should_authenticate,
+	.build_request = build_request,
 	.handle_reply = handle_reply,
 	.create_authorizer = ceph_auth_none_create_authorizer,
 	.destroy_authorizer = ceph_auth_none_destroy_authorizer,
--
1.8.1.2

More information about the kernel-team mailing list