Skip to content

Commit

Permalink
b43: stop format string leaking into error msgs
Browse files Browse the repository at this point in the history 
commit e0e29b6 upstream.

The module parameter "fwpostfix" is userspace controllable, unfiltered,
and is used to define the firmware filename. b43_do_request_fw() populates
ctx->errors[] on error, containing the firmware filename. b43err()
parses its arguments as a format string. For systems with b43 hardware,
this could lead to a uid-0 to ring-0 escalation.

CVE-2013-2852

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Kees Cook authored and Greg Kroah-Hartman committed Jun 20, 2013
1 parent ae02c5a commit 720083f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/net/wireless/b43/main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2309,7 +2309,7 @@ static int b43_request_firmware(struct b43_wldev *dev)
for (i = 0; i < B43_NR_FWTYPES; i++) {
errmsg = ctx->errors[i];
if (strlen(errmsg))
b43err(dev->wl, errmsg);
b43err(dev->wl, "%s", errmsg);
}
b43_print_fw_helptext(dev->wl, 1);
err = -ENOENT;
Expand Down

0 comments on commit 720083f

Please sign in to comment.