[ 3.5.y.z extended stable ] Patch "iscsi-target: fix heap buffer overflow on error" has been added to staging queue
Luis Henriques
luis.henriques at canonical.com
Mon Jun 3 13:35:54 UTC 2013
This is a note to let you know that I have just added a patch titled
iscsi-target: fix heap buffer overflow on error
to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree
which can be found at:
http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue
If you, or anyone else, feels it should not be added to this tree, please
reply to this email.
For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
Thanks.
-Luis
------
>From ae73f376f5234e8fcec11e8662e0795e0829632d Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook at chromium.org>
Date: Thu, 23 May 2013 10:32:17 -0700
Subject: [PATCH] iscsi-target: fix heap buffer overflow on error
commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
error response packet, generated by iscsi_add_notunderstood_response(),
would still attempt to copy the entire key into the packet, overflowing
the structure on the heap.
Remote preauthentication kernel memory corruption was possible if a
target was configured and listening on the network.
CVE-2013-2850
Signed-off-by: Kees Cook <keescook at chromium.org>
Signed-off-by: Nicholas Bellinger <nab at linux-iscsi.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
drivers/target/iscsi/iscsi_target_parameters.c | 8 +++-----
drivers/target/iscsi/iscsi_target_parameters.h | 4 +++-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
index ed5241e..18c086d 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -713,9 +713,9 @@ static int iscsi_add_notunderstood_response(
}
INIT_LIST_HEAD(&extra_response->er_list);
- strncpy(extra_response->key, key, strlen(key) + 1);
- strncpy(extra_response->value, NOTUNDERSTOOD,
- strlen(NOTUNDERSTOOD) + 1);
+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
+ strlcpy(extra_response->value, NOTUNDERSTOOD,
+ sizeof(extra_response->value));
list_add_tail(&extra_response->er_list,
¶m_list->extra_response_list);
@@ -1554,8 +1554,6 @@ int iscsi_decode_text_input(
if (phase & PHASE_SECURITY) {
if (iscsi_check_for_auth_key(key) > 0) {
- char *tmpptr = key + strlen(key);
- *tmpptr = '=';
kfree(tmpbuf);
return 1;
}
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
index 6a37fd6..83eed65 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.h
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
@@ -1,8 +1,10 @@
#ifndef ISCSI_PARAMETERS_H
#define ISCSI_PARAMETERS_H
+#include <scsi/iscsi_proto.h>
+
struct iscsi_extra_response {
- char key[64];
+ char key[KEY_MAXLEN];
char value[32];
struct list_head er_list;
} ____cacheline_aligned;
--
1.8.1.2
More information about the kernel-team
mailing list