[v2.5] CVE-2013-2851 Linux-Kernel: block layer
The block layer uses the “disk_name” field as a format
string in a number of places. While this is normally not a problem due
to how disk names are created (statically or incrementally), there
is currently at least one way to define nearly arbitrary names via
md. Instead of filtering md, this should be fixed within the kernel’s
interfaces. This flaw could potentially allow escalation from uid-0 to
ring-0, so except for certain environments, it is not too serious.
The test case is trivial:
- echo md_%x.%x.%x.%x >/sys/module/md_mod/parameters/new_array
- ls /dev/md_*
/dev/md_c12cc370.df66d800.df66d80c.c13da45b
Using %n instead of %x leads to exciting crashes. :)
The fix has been sent upstream:
http://marc.info/?l=linux-kernel&m=137055204522556&w=2
With the above fixes, a series of additional format string related
clean
ups has also been sent upstream:
http://marc.info/?l=linux-kernel&m=137055207522563&w=2
(from redmine: issue id 2095, created on 2013-06-18, closed on 2013-07-03)
- Relations:
- parent #2093 (closed)