diff options
Diffstat (limited to 'main/linux-grsec/CVE-2013-2852.patch')
-rw-r--r-- | main/linux-grsec/CVE-2013-2852.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/main/linux-grsec/CVE-2013-2852.patch b/main/linux-grsec/CVE-2013-2852.patch new file mode 100644 index 0000000000..84249e5ebf --- /dev/null +++ b/main/linux-grsec/CVE-2013-2852.patch @@ -0,0 +1,32 @@ +From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Fri, 10 May 2013 21:48:21 +0000 +Subject: b43: stop format string leaking into error msgs + +The module parameter "fwpostfix" is userspace controllable, unfiltered, +and is used to define the firmware filename. b43_do_request_fw() populates +ctx->errors[] on error, containing the firmware filename. b43err() +parses its arguments as a format string. For systems with b43 hardware, +this could lead to a uid-0 to ring-0 escalation. + +CVE-2013-2852 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@vger.kernel.org +Signed-off-by: John W. Linville <linville@tuxdriver.com> +--- +diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c +index 6dd07e2..a95b77a 100644 +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work) + for (i = 0; i < B43_NR_FWTYPES; i++) { + errmsg = ctx->errors[i]; + if (strlen(errmsg)) +- b43err(dev->wl, errmsg); ++ b43err(dev->wl, "%s", errmsg); + } + b43_print_fw_helptext(dev->wl, 1); + goto out; +-- +cgit v0.9.2 |