kernel-cifs: CVE-2013-4247

Fix off-by-one bug in build_unc_path_to_root Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4247 Reference to upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=1fc29bacedeabb278080e31bb9c1ecb49f143c3b Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-06-16 09:47:10 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2016-06-16 15:48:32 +0200
commit: 5a09d19a9799291e6a125aacb0cd6451b37660f9 (patch)
tree: 0b5e38526dd7e9ce7501a2f3398ac7c29da3637b
parent: 1586e3d34a97f041a1ec81f398201bab9a86efe7 (diff)
download: meta-enea-5a09d19a9799291e6a125aacb0cd6451b37660f9.tar.gz
2 files changed, 49 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/fs-CVE-2013-4247.patch b/recipes-kernel/linux/files/fs-CVE-2013-4247.patch
new file mode 100644
index 0000000..bee75b9
--- /dev/null
+++ b/recipes-kernel/linux/files/fs-CVE-2013-4247.patch
@@ -0,0 +1,48 @@
+From 1fc29bacedeabb278080e31bb9c1ecb49f143c3b Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Fri, 31 May 2013 10:00:18 -0400
+Subject: cifs: fix off-by-one bug in build_unc_path_to_root
+commit 839db3d10a (cifs: fix up handling of prefixpath= option) changed
+the code such that the vol->prepath no longer contained a leading
+delimiter and then fixed up the places that accessed that field to
+account for that change.
+One spot in build_unc_path_to_root was missed however. When doing the
+pointer addition on pos, that patch failed to account for the fact that
+we had already incremented "pos" by one when adding the length of the
+prepath. This caused a buffer overrun by one byte.
+This patch fixes the problem by correcting the handling of "pos".
+CVE: CVE-2013-4247
+Upstream-Status: Backport
+Cc: <stable@vger.kernel.org> # v3.8+
+Reported-by: Marcus Moeller <marcus.moeller@gmx.ch>
+Reported-by: Ken Fallon <ken.fallon@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/cifs/connect.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
+index 5b97e56..e3bc39b 100644
+--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
+@@ -3279,8 +3279,8 @@ build_unc_path_to_root(const struct smb_vol *vol,
+        pos = full_path + unc_len;
+ 
+        if (pplen) {
+-               *pos++ = CIFS_DIR_SEP(cifs_sb);
+-               strncpy(pos, vol->prepath, pplen);
+               *pos = CIFS_DIR_SEP(cifs_sb);
+               strncpy(pos + 1, vol->prepath, pplen);
+                pos += pplen;
+        }
+ 
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq-sdk.bbappend b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
index 8007b41..6a5bfaa 100644
--- a/recipes-kernel/linux/linux-qoriq-sdk.bbappend
+++ b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
@@ -17,6 +17,7 @@ SRC_URI += "file://add-no-error-uninitialized.patch \
    file://HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch \
    file://HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch \
    file://powerpc-fsl-booke64-Set-vmemmap_psize-to-4K.patch \
+    file://fs-CVE-2013-4247.patch \
    file://Fix-CVE-2014-3153.patch \
    file://CVE-2014-0196_n_tty_write_crash.patch \
    file://Fix-CVE-2014-5471_CVE-2014-5472.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-06-16 09:47:10 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2016-06-16 15:48:32 +0200
commit	5a09d19a9799291e6a125aacb0cd6451b37660f9 (patch)
tree	0b5e38526dd7e9ce7501a2f3398ac7c29da3637b
parent	1586e3d34a97f041a1ec81f398201bab9a86efe7 (diff)
download	meta-enea-5a09d19a9799291e6a125aacb0cd6451b37660f9.tar.gz

diff --git a/recipes-kernel/linux/files/fs-CVE-2013-4247.patch b/recipes-kernel/linux/files/fs-CVE-2013-4247.patch new file mode 100644 index 0000000..bee75b9 --- /dev/null +++ b/recipes-kernel/linux/files/fs-CVE-2013-4247.patch
@@ -0,0 +1,48 @@
		1	From 1fc29bacedeabb278080e31bb9c1ecb49f143c3b Mon Sep 17 00:00:00 2001
		2	From: Jeff Layton <jlayton@redhat.com>
		3	Date: Fri, 31 May 2013 10:00:18 -0400
		4	Subject: cifs: fix off-by-one bug in build_unc_path_to_root
		5
		6	commit 839db3d10a (cifs: fix up handling of prefixpath= option) changed
		7	the code such that the vol->prepath no longer contained a leading
		8	delimiter and then fixed up the places that accessed that field to
		9	account for that change.
		10
		11	One spot in build_unc_path_to_root was missed however. When doing the
		12	pointer addition on pos, that patch failed to account for the fact that
		13	we had already incremented "pos" by one when adding the length of the
		14	prepath. This caused a buffer overrun by one byte.
		15
		16	This patch fixes the problem by correcting the handling of "pos".
		17
		18	CVE: CVE-2013-4247
		19	Upstream-Status: Backport
		20
		21	Cc: <stable@vger.kernel.org> # v3.8+
		22	Reported-by: Marcus Moeller <marcus.moeller@gmx.ch>
		23	Reported-by: Ken Fallon <ken.fallon@gmail.com>
		24	Signed-off-by: Jeff Layton <jlayton@redhat.com>
		25	Signed-off-by: Steve French <sfrench@us.ibm.com>
		26	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		27	---
		28	fs/cifs/connect.c \| 4 ++--
		29	1 file changed, 2 insertions(+), 2 deletions(-)
		30
		31	diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
		32	index 5b97e56..e3bc39b 100644
		33	--- a/fs/cifs/connect.c
		34	+++ b/fs/cifs/connect.c
		35	@@ -3279,8 +3279,8 @@ build_unc_path_to_root(const struct smb_vol *vol,
		36	pos = full_path + unc_len;
		37
		38	if (pplen) {
		39	- *pos++ = CIFS_DIR_SEP(cifs_sb);
		40	- strncpy(pos, vol->prepath, pplen);
		41	+ *pos = CIFS_DIR_SEP(cifs_sb);
		42	+ strncpy(pos + 1, vol->prepath, pplen);
		43	pos += pplen;
		44	}
		45
		46	--
		47	cgit v0.12
		48


diff --git a/recipes-kernel/linux/linux-qoriq-sdk.bbappend b/recipes-kernel/linux/linux-qoriq-sdk.bbappend index 8007b41..6a5bfaa 100644 --- a/recipes-kernel/linux/linux-qoriq-sdk.bbappend +++ b/recipes-kernel/linux/linux-qoriq-sdk.bbappend
@@ -17,6 +17,7 @@ SRC_URI += "file://add-no-error-uninitialized.patch \
17	file://HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch \	17	file://HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch \
18	file://HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch \	18	file://HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch \
19	file://powerpc-fsl-booke64-Set-vmemmap_psize-to-4K.patch \	19	file://powerpc-fsl-booke64-Set-vmemmap_psize-to-4K.patch \
		20	file://fs-CVE-2013-4247.patch \
20	file://Fix-CVE-2014-3153.patch \	21	file://Fix-CVE-2014-3153.patch \
21	file://CVE-2014-0196_n_tty_write_crash.patch \	22	file://CVE-2014-0196_n_tty_write_crash.patch \
22	file://Fix-CVE-2014-5471_CVE-2014-5472.patch \	23	file://Fix-CVE-2014-5471_CVE-2014-5472.patch \