CVE-2013-2851 Linux-Kernel: block layer
The block layer uses the “disk_name” field as a format
string in a number of places. While this is normally not a problem due
to how disk names are created (statically or incrementally), there
is currently at least one way to define nearly arbitrary names via
md. Instead of filtering md, this should be fixed within the kernel’s
interfaces. This flaw could potentially allow escalation from uid-0 to
ring-0, so except for certain environments, it is not too serious.
The test case is trivial:
- echo md_%x.%x.%x.%x >/sys/module/md_mod/parameters/new_array
- ls /dev/md_*
/dev/md_c12cc370.df66d800.df66d80c.c13da45b
Using %n instead of %x leads to exciting crashes. :)
The fix has been sent upstream:
http://marc.info/?l=linux-kernel&m=137055204522556&w=2
With the above fixes, a series of additional format string related
clean
ups has also been sent upstream:
http://marc.info/?l=linux-kernel&m=137055207522563&w=2
(from redmine: issue id 2093, created on 2013-06-18, closed on 2013-07-03)
- Relations:
- child #2094 (closed)
- child #2095 (closed)
- child #2096 (closed)
- child #2097 (closed)
- Changesets:
- Revision 8522b076 by Natanael Copa on 2013-06-18T15:21:24Z:
main/linux-grsec: fix CVE-2013-2164,CVE-2013-2851,CVE-2013-2052
fixes #2079
fixes #2090
fixes #2093- Revision 25d456a5 by Natanael Copa on 2013-06-26T14:10:30Z:
main/linux-grsec: security fixes (CVE-2013-2164,CVE-2013-2851,CVE-2013-2852)
ref #2077
ref #2088
ref #2093
fixes #2083
fixes #2092
fixes #2097