CVE-2013-2852 Linux-Kernel: b43 wireless driver
The b43 driver reports error strings that can be interpreted as format
strings. Under normal conditions, this is not a problem, but it is
possible for the “fwpostfix” module parameter to change the filenames
used to fetch firmware. When such a file is not found, the filename
will be processed as a format string. This flaw could potentially
allow
escalation from uid-0 to ring-0, so except for certain environments,
it is not too serious.
If b43 hardware is available, this should show itself easily. I don’t
have
any available for testing, but it seems it would show itself like this:
- rmmod b43
- modprobe b43 fwpostfix=AA%xBB
… - dmesg
…
b43-0 ERROR: Firmware file “b43AAdeff80ccBB/a0g1bsinitvals5.fw” not found
Using %n instead of %x would lead to exciting crashes. :)
It has been fixed in the upstream wireless tree:
(from redmine: issue id 2088, created on 2013-06-18, closed on 2013-07-03)
- Relations:
- child #2089 (closed)
- child #2090 (closed)
- child #2091 (closed)
- child #2092 (closed)
- Changesets:
- Revision 25d456a5 by Natanael Copa on 2013-06-26T14:10:30Z:
main/linux-grsec: security fixes (CVE-2013-2164,CVE-2013-2851,CVE-2013-2852)
ref #2077
ref #2088
ref #2093
fixes #2083
fixes #2092
fixes #2097