From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Tyler Hicks <tyhicks@canonical.com>,
Chanam Park <chanam.park@hkpco.kr>,
Seth Arnold <seth.arnold@canonical.com>,
Sage Weil <sage@inktank.com>
Subject: [ 01/15] libceph: Fix NULL pointer dereference in auth client code
Date: Thu, 11 Jul 2013 15:19:31 -0700 [thread overview]
Message-ID: <20130711221256.160285989@linuxfoundation.org> (raw)
In-Reply-To: <20130711221255.925669600@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tyler Hicks <tyhicks@canonical.com>
commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream.
A malicious monitor can craft an auth reply message that could cause a
NULL function pointer dereference in the client's kernel.
To prevent this, the auth_none protocol handler needs an empty
ceph_auth_client_ops->build_request() function.
CVE-2013-1059
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Chanam Park <chanam.park@hkpco.kr>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/auth_none.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/ceph/auth_none.c
+++ b/net/ceph/auth_none.c
@@ -39,6 +39,11 @@ static int should_authenticate(struct ce
return xi->starting;
}
+static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
+{
+ return 0;
+}
+
/*
* the generic auth code decode the global_id, and we carry no actual
* authenticate state, so nothing happens here.
@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops
.destroy = destroy,
.is_authenticated = is_authenticated,
.should_authenticate = should_authenticate,
+ .build_request = build_request,
.handle_reply = handle_reply,
.create_authorizer = ceph_auth_none_create_authorizer,
.destroy_authorizer = ceph_auth_none_destroy_authorizer,
next prev parent reply other threads:[~2013-07-11 22:19 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-11 22:19 [ 00/15] 3.9.10-stable review Greg Kroah-Hartman
2013-07-11 22:19 ` Greg Kroah-Hartman [this message]
2013-07-11 22:19 ` [ 02/15] ceph: fix sleeping function called from invalid context Greg Kroah-Hartman
2013-07-11 22:19 ` [ 03/15] drivers/cdrom/cdrom.c: use kzalloc() for failing hardware Greg Kroah-Hartman
2013-07-11 22:19 ` [ 04/15] module: do percpu allocation after uniqueness check. No, really! Greg Kroah-Hartman
2013-07-11 22:19 ` [ 05/15] charger-manager: Ensure event is not used as format string Greg Kroah-Hartman
2013-07-11 22:19 ` [ 06/15] hpfs: better test for errors Greg Kroah-Hartman
2013-07-11 22:19 ` [ 07/15] block: do not pass disk names as format strings Greg Kroah-Hartman
2013-07-11 22:19 ` [ 08/15] crypto: sanitize argument for format string Greg Kroah-Hartman
2013-07-11 22:19 ` [ 09/15] MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information Greg Kroah-Hartman
2013-07-11 22:19 ` [ 10/15] futex: Take hugepages into account when generating futex_key Greg Kroah-Hartman
2013-07-11 22:19 ` [ 11/15] Revert "serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller" Greg Kroah-Hartman
2013-07-11 22:19 ` [ 12/15] nfsd4: fix decoding of compounds across page boundaries Greg Kroah-Hartman
2013-07-11 22:19 ` [ 13/15] KVM: VMX: mark unusable segment as nonpresent Greg Kroah-Hartman
2013-07-11 22:19 ` [ 14/15] SCSI: sd: Fix parsing of temporary cache mode prefix Greg Kroah-Hartman
2013-07-11 22:19 ` [ 15/15] Revert "memcg: avoid dangling reference count in creation failure" Greg Kroah-Hartman
2013-07-12 17:23 ` [ 00/15] 3.9.10-stable review Shuah Khan
2013-07-12 22:05 ` Guenter Roeck
2013-07-13 1:32 ` Greg Kroah-Hartman
2013-07-13 4:16 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130711221256.160285989@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chanam.park@hkpco.kr \
--cc=linux-kernel@vger.kernel.org \
--cc=sage@inktank.com \
--cc=seth.arnold@canonical.com \
--cc=stable@vger.kernel.org \
--cc=tyhicks@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).