[3.8.y.z,extended,stable] Patch "b43: stop format string leaking into error msgs" has been added to staging queue

Kamal Mostafa June 14, 2013, 6:33 p.m.
This is a note to let you know that I have just added a patch titled

    b43: stop format string leaking into error msgs

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:


This patch is scheduled to be released in version

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



From 0f3f2d1c7184caaa8afac4ac1d9c3f295b12b551 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Fri, 10 May 2013 14:48:21 -0700
Subject: b43: stop format string leaking into error msgs

commit e0e29b683d6784ef59bbc914eac85a04b650e63c upstream.

The module parameter "fwpostfix" is userspace controllable, unfiltered,
and is used to define the firmware filename. b43_do_request_fw() populates
ctx->errors[] on error, containing the firmware filename. b43err()
parses its arguments as a format string. For systems with b43 hardware,
this could lead to a uid-0 to ring-0 escalation.


Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
 drivers/net/wireless/b43/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
index 64b637a..911c4c0 100644
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -2451,7 +2451,7 @@  static void b43_request_firmware(struct work_struct *work)
 	for (i = 0; i < B43_NR_FWTYPES; i++) {
 		errmsg = ctx->errors[i];
 		if (strlen(errmsg))
-			b43err(dev->wl, errmsg);
+			b43err(dev->wl, "%s", errmsg);
 	b43_print_fw_helptext(dev->wl, 1);
 	goto out;