diff options
Diffstat (limited to 'main')
| -rw-r--r-- | main/linux-grsec/APKBUILD | 8 | ||||
| -rw-r--r-- | main/linux-grsec/CVE-2013-2164.patch | 45 | ||||
| -rw-r--r-- | main/linux-grsec/CVE-2013-2851.patch | 40 | ||||
| -rw-r--r-- | main/linux-grsec/CVE-2013-2852.patch | 32 |
4 files changed, 124 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index afaece27d0..58310ad3a2 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=3.0.24 _kernver=3.0 -pkgrel=1 +pkgrel=2 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -25,6 +25,9 @@ source="ftp://ftp.kernel.org/pub/linux/kernel/v3.0/linux-$_kernver.tar.bz2 net-flow-remove-sleeping-and-deferral-mechanism-from-flow_cache_flush.patch tcp-fix-syncookie-regression.patch CVE-2013-2094.patch + CVE-2013-2164.patch + CVE-2013-2851.patch + CVE-2013-2852.patch kernelconfig.x86 kernelconfig.x86_64 @@ -155,5 +158,8 @@ f3eda7112ef074a4121ec6de943c63ee x86-centaur-enable-cx8-for-via-eden-too.patch b25335e8fcbf8c969230d55ac4e75cf8 net-flow-remove-sleeping-and-deferral-mechanism-from-flow_cache_flush.patch 2e1e492addb3addf92bd4a0f4b6c602a tcp-fix-syncookie-regression.patch cfc7b3d39f8a16bfa0a584ca7c38fc17 CVE-2013-2094.patch +df04be24efa715b32bf189c390ee20f7 CVE-2013-2164.patch +372f8b1263cbd4be31cf14f213736dbd CVE-2013-2851.patch +41013055e0ea2cd02fc066b16f65f732 CVE-2013-2852.patch 587b1fb2f6a5c9ba714900b856f57f09 kernelconfig.x86 99836ffe918bbdef7da1a56a3d075c7a kernelconfig.x86_64" diff --git a/main/linux-grsec/CVE-2013-2164.patch b/main/linux-grsec/CVE-2013-2164.patch new file mode 100644 index 0000000000..6afb6c4d8b --- /dev/null +++ b/main/linux-grsec/CVE-2013-2164.patch @@ -0,0 +1,45 @@ +From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001 +From: Jonathan Salwan <jonathan.salwan@gmail.com> +Date: Thu, 06 Jun 2013 00:39:39 +0000 +Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware + +In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory +area with kmalloc in line 2885. + +2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); +2886 if (cgc->buffer == NULL) +2887 return -ENOMEM; + +In line 2908 we can find the copy_to_user function: + +2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) + +The cgc->buffer is never cleaned and initialized before this function. If +ret = 0 with the previous basic block, it's possible to display some +memory bytes in kernel space from userspace. + +When we read a block from the disk it normally fills the ->buffer but if +the drive is malfunctioning there is a chance that it would only be +partially filled. The result is an leak information to userspace. + +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- +(limited to 'drivers/cdrom/cdrom.c') + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index d620b44..8a3aff7 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + +-- +cgit v0.9.2 diff --git a/main/linux-grsec/CVE-2013-2851.patch b/main/linux-grsec/CVE-2013-2851.patch new file mode 100644 index 0000000000..e3ff871772 --- /dev/null +++ b/main/linux-grsec/CVE-2013-2851.patch @@ -0,0 +1,40 @@ +diff --git a/block/genhd.c b/block/genhd.c +index d7f7d4e..e9a5220 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -518,7 +518,7 @@ void register_disk(struct gendisk *disk) + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index f533f33..12a7368 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -658,7 +658,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo, + + mutex_unlock(&lo->tx_lock); + +- thread = kthread_create(nbd_thread, lo, lo->disk->disk_name); ++ thread = kthread_create(nbd_thread, lo, "%s", ++ lo->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&lo->tx_lock); + return PTR_ERR(thread); +diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c +index d4ed9eb..caac1b2 100644 +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -465,7 +465,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; diff --git a/main/linux-grsec/CVE-2013-2852.patch b/main/linux-grsec/CVE-2013-2852.patch new file mode 100644 index 0000000000..84249e5ebf --- /dev/null +++ b/main/linux-grsec/CVE-2013-2852.patch @@ -0,0 +1,32 @@ +From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001 +From: Kees Cook <keescook@chromium.org> +Date: Fri, 10 May 2013 21:48:21 +0000 +Subject: b43: stop format string leaking into error msgs + +The module parameter "fwpostfix" is userspace controllable, unfiltered, +and is used to define the firmware filename. b43_do_request_fw() populates +ctx->errors[] on error, containing the firmware filename. b43err() +parses its arguments as a format string. For systems with b43 hardware, +this could lead to a uid-0 to ring-0 escalation. + +CVE-2013-2852 + +Signed-off-by: Kees Cook <keescook@chromium.org> +Cc: stable@vger.kernel.org +Signed-off-by: John W. Linville <linville@tuxdriver.com> +--- +diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c +index 6dd07e2..a95b77a 100644 +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work) + for (i = 0; i < B43_NR_FWTYPES; i++) { + errmsg = ctx->errors[i]; + if (strlen(errmsg)) +- b43err(dev->wl, errmsg); ++ b43err(dev->wl, "%s", errmsg); + } + b43_print_fw_helptext(dev->wl, 1); + goto out; +-- +cgit v0.9.2 |