redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers
History
Nicolas Iooss 3958b79266 configfs: fix kernel infoleak through user-controlled format string 
Some modules call config_item_init_type_name() and config_group_init_type_name()
with parameter "name" directly controlled by userspace.  These two
functions call config_item_set_name() with this name used as a format
string, which can be used to leak information such as content of the
stack to userspace.

For example, make_netconsole_target() in netconsole module calls
config_item_init_type_name() with the name of a newly-created directory.
This means that the following commands give some unexpected output, with
configfs mounted in /sys/kernel/config/ and on a system with a
configured eth0 ethernet interface:

    # modprobe netconsole
    # mkdir /sys/kernel/config/netconsole/target_%lx
    # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
    # echo 1 > /sys/kernel/config/netconsole/target_%lx/enabled
    # echo eth0 > /sys/kernel/config/netconsole/target_%lx/dev_name
    # dmesg |tail -n1
    [  142.697668] netconsole: target (target_ffffffffc0ae8080) is
    enabled, disable to update parameters

The directory name is correct but %lx has been interpreted in the
internal item name, displayed here in the error message used by
store_dev_name() in drivers/net/netconsole.c.

To fix this, update every caller of config_item_set_name to use "%s"
when operating on untrusted input.

This issue was found using -Wformat-security gcc flag, once a __printf
attribute has been added to config_item_set_name().

Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Felipe Balbi <balbi@ti.com>
Acked-by: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 		2015-07-17 16:39:53 -07:00
..
accessibility
acpi Merge branches 'pm-cpuidle', 'pm-cpufreq' and 'acpi-resources' 2015-07-16 23:47:19 +02:00
amba
android
ata ata: ahci_platform: Add ACPI _CLS matching 2015-07-07 01:55:21 +02:00
atm
auxdisplay
base Fix firmware loader uevent buffer NULL pointer dereference 2015-07-09 11:20:01 -07:00
bcma
block NVMe: Reread partitions on metadata formats 2015-07-15 15:36:47 -06:00
bluetooth Bluetooth: ath3k: Add support of 04ca:300d AR3012 device 2015-06-18 21:00:06 +03:00
bus ARM: SoC: driver updates for v4.2 2015-06-26 11:54:29 -07:00
cdrom
char Merge tag 'tpm-fixes-for-4.2-rc2' of https://github.com/PeterHuewe/linux-tpmdd into for-linus 2015-07-15 21:46:59 +10:00
clk A small set of fixes for problems found by smatch in new drivers 2015-07-11 11:08:21 -07:00
clocksource clocksource/imx: Define clocksource for mx27 2015-07-07 10:44:45 +02:00
connector
cpufreq Merge branches 'pm-cpuidle', 'pm-cpufreq' and 'acpi-resources' 2015-07-16 23:47:19 +02:00
cpuidle suspend-to-idle: Prevent RCU from complaining about tick_freeze() 2015-07-09 22:59:49 +02:00
crypto crypto: nx - Fix reentrancy bugs 2015-07-08 15:14:13 +08:00
dca
devfreq
dio
dma Merge branch 'akpm' (patches from Andrew) 2015-07-01 17:47:51 -07:00
dma-buf
edac A build fix for octeon_edac from Aaro Koskinen. 2015-07-03 12:10:12 -07:00
eisa
extcon
firewire
firmware Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2015-07-03 15:20:57 -07:00
fmc
gpio gpio: pca953x: fix nested irqs rescheduling 2015-07-16 14:40:08 +02:00
gpu drm/ttm: improve uncached page deallocation. 2015-07-17 18:18:04 +10:00
hid Merge branches 'for-4.2/i2c-hid', 'for-4.2/lenovo', 'for-4.2/plantronics', 'for-4.2/rmi', 'for-4.2/sensor-hub', 'for-4.2/sjoy', 'for-4.2/sony' and 'for-4.2/wacom' into for-linus 2015-06-22 16:23:43 +02:00
hsi Fix up implicit <module.h> users that will break later. 2015-07-02 10:25:22 -07:00
hv
hwmon hwmon: (w83627ehf) Use swap() in w82627ehf_swap_tempreg() 2015-07-03 14:39:06 +02:00
hwspinlock hwspinlock: qcom: Correct msb in regmap_field 2015-07-01 16:15:05 +03:00
hwtracing/coresight
i2c i2c: Mark instantiated device nodes with OF_POPULATE 2015-07-09 22:25:54 +02:00
ide Minor merge needed, due to function move. 2015-07-01 10:49:25 -07:00
idle
iio Second set of IIO fixes for the 4.2 cycle. Note these depend (mostly) on 2015-07-13 14:19:22 -07:00
infiniband IB/core: Destroy ocrdma_dev_id IDR on module exit 2015-07-14 13:20:16 -04:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2015-07-11 11:16:04 -07:00
iommu IOMMU Fixes for Linux v4.2-rc0 2015-07-01 14:44:22 -07:00
ipack
irqchip Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2015-07-12 13:55:24 -07:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2015-06-24 16:49:49 -07:00
leds Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds 2015-07-01 19:09:11 -07:00
lguest Merge branch 'x86-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-06-22 17:59:09 -07:00
macintosh macintosh/nvram: Remove as unused 2015-06-15 16:42:37 +10:00
mailbox Replace module_init with appropriate alternate initcall in non modules. 2015-07-02 10:36:29 -07:00
mcb
md bcache: don't embed 'return' statements in closure macros 2015-07-11 09:57:32 -06:00
media Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cooloney/linux-leds 2015-07-01 19:09:11 -07:00
memory Merge branch 'fixes-rc1' into omap-for-v4.2/fixes 2015-07-06 05:33:17 -07:00
memstick memstick: remove deprecated use of pci api 2015-06-30 19:44:57 -07:00
message fusion: remove dead MTRR code 2015-06-13 08:44:14 -07:00
mfd Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-07-01 15:19:35 -07:00
misc powerpc fixes for 4.2 2015-07-10 12:16:59 -07:00
mmc ARM: SoC: late fixes and dependencies 2015-07-02 14:40:49 -07:00
mtd Minor merge needed, due to function move. 2015-07-01 10:49:25 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-07-13 11:18:25 -07:00
nfc Char/Misc driver patches for 4.2-rc1 2015-06-26 14:51:15 -07:00
ntb NTB: Add split BAR output for debugfs stats 2015-07-04 14:09:32 -04:00
nubus
nvdimm nvdimm: Fix return value of nvdimm_bus_init() if class_create() fails 2015-06-30 14:30:34 -04:00
of Devicetree changes for v4.2 2015-07-01 19:40:18 -07:00
oprofile
parisc
parport
pci Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-07-01 15:19:35 -07:00
pcmcia Fix up implicit <module.h> users that will break later. 2015-07-02 10:25:22 -07:00
phy Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2015-06-27 12:44:34 -07:00
pinctrl Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-07-01 15:19:35 -07:00
platform intel_scu_ipc: move local memory initialization out of a mutex 2015-07-14 11:02:44 -07:00
pnp ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage 2015-07-06 23:52:21 +02:00
power Replace module_platform_driver with builtin_platform driver in non modules. 2015-07-02 10:42:13 -07:00
powercap
pps
ps3
ptp
pwm pwm: Changes for v4.2-rc1 2015-06-23 13:32:38 -07:00
rapidio Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2015-06-23 14:08:54 -07:00
ras
regulator Fix up implicit <module.h> users that will break later. 2015-07-02 10:25:22 -07:00
remoteproc remoteproc: fix !CONFIG_OF build breakage 2015-06-18 11:44:41 +03:00
reset
rpmsg
rtc Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2015-06-27 12:44:34 -07:00
s390 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux 2015-07-15 13:12:44 -07:00
sbus
scsi IB/srp: Avoid using uninitialized variable 2015-07-14 13:20:09 -04:00
sfi
sh Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2015-07-01 15:19:35 -07:00
sn
soc ARM: SoC: late fixes and dependencies 2015-07-02 14:40:49 -07:00
spi Merge remote-tracking branches 'spi/topic/sirf', 'spi/topic/spidev' and 'spi/topic/zynq' into spi-next 2015-06-18 00:19:56 +01:00
spmi
ssb
staging staging: vt6656: check ieee80211_bss_conf bssid not NULL 2015-07-14 19:34:57 -07:00
target Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-07-04 14:13:43 -07:00
tc
thermal Minor merge needed, due to function move. 2015-07-01 10:49:25 -07:00
thunderbolt
tty ARM: SoC: late fixes and dependencies 2015-07-02 14:40:49 -07:00
uio
usb configfs: fix kernel infoleak through user-controlled format string 2015-07-17 16:39:53 -07:00
uwb
vfio VFIO updates for v4.2 2015-06-28 12:32:13 -07:00
vhost Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-07-04 14:13:43 -07:00
video stifb: Implement hardware accelerated copyarea 2015-07-10 21:44:19 +02:00
virt
virtio virtio/vhost: cross endian support 2015-07-03 16:02:25 -07:00
vlynq
vme
w1
watchdog Merge git://www.linux-watchdog.org/linux-watchdog 2015-07-01 19:33:16 -07:00
xen Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2015-07-04 14:13:43 -07:00
zorro
Kconfig libnvdimm, nfit: initial libnvdimm infrastructure and NFIT support 2015-06-24 21:24:10 -04:00
Makefile The libnvdimm sub-system introduces, in addition to the libnvdimm-core, 2015-06-29 10:34:42 -07:00