Message ID | 1371727897-8763-1-git-send-email-luis.henriques@canonical.com |
---|---|
State | New |
Headers | show |
On Thu, Jun 20, 2013 at 12:31:37PM +0100, Luis Henriques wrote: > From: Kees Cook <keescook@chromium.org> > > BugLink: https://bugs.launchpad.net/bugs/1189833 > > The module parameter "fwpostfix" is userspace controllable, unfiltered, > and is used to define the firmware filename. b43_do_request_fw() populates > ctx->errors[] on error, containing the firmware filename. b43err() > parses its arguments as a format string. For systems with b43 hardware, > this could lead to a uid-0 to ring-0 escalation. > > CVE-2013-2852 > > Signed-off-by: Kees Cook <keescook@chromium.org> > Cc: stable@vger.kernel.org > Signed-off-by: John W. Linville <linville@tuxdriver.com> > (cherry picked from commit e0e29b683d6784ef59bbc914eac85a04b650e63c) > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > drivers/net/wireless/b43/main.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c > index 9bd5366..c14acea 100644 > --- a/drivers/net/wireless/b43/main.c > +++ b/drivers/net/wireless/b43/main.c > @@ -2287,7 +2287,7 @@ static int b43_request_firmware(struct b43_wldev *dev) > for (i = 0; i < B43_NR_FWTYPES; i++) { > errmsg = ctx->errors[i]; > if (strlen(errmsg)) > - b43err(dev->wl, errmsg); > + b43err(dev->wl, "%s", errmsg); > } > b43_print_fw_helptext(dev->wl, 1); > err = -ENOENT; Looks to do what is claimed, clean cherrypick. Acked-by: Andy Whitcroft <apw@canonical.com> Is this coming via stable for later releases? -apw
diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c index 9bd5366..c14acea 100644 --- a/drivers/net/wireless/b43/main.c +++ b/drivers/net/wireless/b43/main.c @@ -2287,7 +2287,7 @@ static int b43_request_firmware(struct b43_wldev *dev) for (i = 0; i < B43_NR_FWTYPES; i++) { errmsg = ctx->errors[i]; if (strlen(errmsg)) - b43err(dev->wl, errmsg); + b43err(dev->wl, "%s", errmsg); } b43_print_fw_helptext(dev->wl, 1); err = -ENOENT;