aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/rtc/rtc-max6900.c
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2013-03-27 06:40:50 +0000
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-10-13 14:51:08 -0700
commit7b3c1a8576716d825c73ac1739b2b3f0d7226dcf (patch)
tree9d73ed3e343bc4fc6a3f4867de52b5a5521b242b /drivers/rtc/rtc-max6900.c
parent6ac3a550f14a5b4a24417097cd6abcb8c79a0d5a (diff)
downloadkernel_samsung_smdk4412-7b3c1a8576716d825c73ac1739b2b3f0d7226dcf.zip
kernel_samsung_smdk4412-7b3c1a8576716d825c73ac1739b2b3f0d7226dcf.tar.gz
kernel_samsung_smdk4412-7b3c1a8576716d825c73ac1739b2b3f0d7226dcf.tar.bz2
tg3: fix length overflow in VPD firmware parsing
commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream. Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version when present") introduced VPD parsing that contained a potential length overflow. Limit the hardware's reported firmware string length (max 255 bytes) to stay inside the driver's firmware string length (32 bytes). On overflow, truncate the formatted firmware string instead of potentially overwriting portions of the tg3 struct. http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf -js: This fixes CVE-2013-1929. Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Oded Horovitz <oded@privatecore.com> Reported-by: Brad Spengler <spender@grsecurity.net> Cc: stable@vger.kernel.org Cc: Matt Carlson <mcarlson@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/rtc/rtc-max6900.c')
0 files changed, 0 insertions, 0 deletions