Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 05 Apr 2013 18:08:02 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>
Subject: Re: CVE Request: tg3 VPD firmware -> driver injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/05/2013 08:00 AM, Marcus Meissner wrote:
> Hi,
> 
> These slides refer to (cloud) server hardware injecting code into
> otherwise unsuspecting host / guest systems.
> 
> Sample is tg3 (around slide 18) 
> http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
> 
> Introduced by: commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 
> Author: Matt Carlson <mcarlson@...adcom.com> Date:   Mon Apr 5
> 10:19:25 2010 +0000
> 
> tg3: Use VPD fw version when present
> 
> which was added during Linux 3.2 development.
> 
> Fixed by: 
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=715230a44310a8cf66fbfb5a46f9a62a9b2de424
>
>  commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 Author: Kees Cook
> <keescook@...omium.org> Date:   Wed Mar 27 06:40:50 2013 +0000
> 
> tg3: fix length overflow in VPD firmware parsing
> 
> Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw
> version when present") introduced VPD parsing that contained a
> potential length overflow.
> 
> Limit the hardware's reported firmware string length (max 255
> bytes) to stay inside the driver's firmware string length (32
> bytes). On overflow, truncate the formatted firmware string instead
> of potentially overwriting portions of the tg3 struct.
> 
> http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
> 
> 
> Ciao, Marcus
> 

Please use CVE-2013-1929 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRX2diAAoJEBYNRVNeJnmTgEoQAKwJXFDl85FXM563lScOfXnI
R7yvgo2qIakHv6gfQS/GzxDY3i/4Sky+OsS6IckqWnuNQURWTomnTBZRu5qihfGy
CSdxFefF0OdQh9xjc5VIB1vJrQmpPt2giU9ZxRfLzXD8Gj8VPMTbP+fTNCWJrgX7
FPZWAO34tiiLdqPe2E1Fo5emW6d5p47VCSrv1i+9PLqNzXd2JlBAPKChbobDmN1P
bbDuVN5JuacLAViIHFSeLl1UCLb8UzAT6LNB5NQhCG+UMqir+hfqCxUsr3xBuQ0S
EcPAT6c2vm00V2w27ITnc0Iayy3JNE1qy3GtZEcwL0FBctkf4YmXRzlfhCAEdAb8
7CSowCPaVgO6BHZuenhLZF+dakOr0CRoNx9OhmiFS2bdPMgMLXKR8lWo1vOooNnV
hwR8o9Bhiq2igtDtoNa6wv/EpXmCg5i0tlEREKoLCJiE+/+SMzLYtzB23yhb6rKM
kHFSLXzO8rh7DYTqlVs2aKJ7w3TYwUDJP++vHSwr315N5O6B2sJ8RMxAcA59ysdg
hmDQFwFwQ2rqnETr7QFz2ZO3oBMkELr9akY16UPNLYP20BtNqrT6HEEy14uv9i8a
91ZENd707Kf8Fvn7yGfg5pD40M7/pJgfHNsSX7fbV41wMIkACZple1YZ1owp1aKv
HgQckD25SZYVpft6QZ/R
=BouH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ