[v2.6] CVE-2013-2851 Linux-Kernel: block layer
The block layer uses the “disk_name” field as a format
string in a number of places. While this is normally not a problem due
to how disk names are created (statically or incrementally), there
is currently at least one way to define nearly arbitrary names via
md. Instead of filtering md, this should be fixed within the kernel’s
interfaces. This flaw could potentially allow escalation from uid-0 to
ring-0, so except for certain environments, it is not too serious.
The test case is trivial:
- echo md_%x.%x.%x.%x >/sys/module/md_mod/parameters/new_array
- ls /dev/md_*
/dev/md_c12cc370.df66d800.df66d80c.c13da45b
Using %n instead of %x leads to exciting crashes. :)
The fix has been sent upstream:
http://marc.info/?l=linux-kernel&m=137055204522556&w=2
With the above fixes, a series of additional format string related
clean
ups has also been sent upstream:
http://marc.info/?l=linux-kernel&m=137055207522563&w=2
(from redmine: issue id 2094, created on 2013-06-18, closed on 2013-07-02)
- Relations:
- parent #2093 (closed)
- Changesets:
- Revision bcbc4590 by Natanael Copa on 2013-06-19T08:38:20Z:
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
fixes #2078
fixes #2089
fixes #2094
(cherry picked from commit b52eb6193eb9c18980886ff25d2e4e41dd887078)