[v2.6] CVE-2013-2852 Linux-Kernel: b43 wireless driver
The b43 driver reports error strings that can be interpreted as format
strings. Under normal conditions, this is not a problem, but it is
possible for the “fwpostfix” module parameter to change the filenames
used to fetch firmware. When such a file is not found, the filename
will be processed as a format string. This flaw could potentially
allow
escalation from uid-0 to ring-0, so except for certain environments,
it is not too serious.
If b43 hardware is available, this should show itself easily. I don’t
have
any available for testing, but it seems it would show itself like this:
- rmmod b43
- modprobe b43 fwpostfix=AA%xBB
… - dmesg
…
b43-0 ERROR: Firmware file “b43AAdeff80ccBB/a0g1bsinitvals5.fw” not found
Using %n instead of %x would lead to exciting crashes. :)
It has been fixed in the upstream wireless tree:
(from redmine: issue id 2089, created on 2013-06-18, closed on 2013-07-02)
- Relations:
- parent #2088 (closed)
- Changesets:
- Revision bcbc4590 by Natanael Copa on 2013-06-19T08:38:20Z:
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
fixes #2078
fixes #2089
fixes #2094
(cherry picked from commit b52eb6193eb9c18980886ff25d2e4e41dd887078)