| From 3c6c00fa78339298e27ce4001052133ca8f52a84 Mon Sep 17 00:00:00 2001 |
| From: Tyler Hicks <tyhicks@canonical.com> |
| Date: Thu, 20 Jun 2013 13:13:59 -0700 |
| Subject: [PATCH] libceph: Fix NULL pointer dereference in auth client code |
| |
| commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream. |
| |
| A malicious monitor can craft an auth reply message that could cause a |
| NULL function pointer dereference in the client's kernel. |
| |
| To prevent this, the auth_none protocol handler needs an empty |
| ceph_auth_client_ops->build_request() function. |
| |
| CVE-2013-1059 |
| |
| Signed-off-by: Tyler Hicks <tyhicks@canonical.com> |
| Reported-by: Chanam Park <chanam.park@hkpco.kr> |
| Reviewed-by: Seth Arnold <seth.arnold@canonical.com> |
| Reviewed-by: Sage Weil <sage@inktank.com> |
| [PG: in v2.6.34, file is fs/ceph and not net/ceph] |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| fs/ceph/auth_none.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| diff --git a/fs/ceph/auth_none.c b/fs/ceph/auth_none.c |
| index 8cd9e3af07f7..1d1f9b4cbd87 100644 |
| --- a/fs/ceph/auth_none.c |
| +++ b/fs/ceph/auth_none.c |
| @@ -31,6 +31,11 @@ static int is_authenticated(struct ceph_auth_client *ac) |
| return !xi->starting; |
| } |
| |
| +static int build_request(struct ceph_auth_client *ac, void *buf, void *end) |
| +{ |
| + return 0; |
| +} |
| + |
| /* |
| * the generic auth code decode the global_id, and we carry no actual |
| * authenticate state, so nothing happens here. |
| @@ -97,6 +102,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = { |
| .reset = reset, |
| .destroy = destroy, |
| .is_authenticated = is_authenticated, |
| + .build_request = build_request, |
| .handle_reply = handle_reply, |
| .create_authorizer = ceph_auth_none_create_authorizer, |
| .destroy_authorizer = ceph_auth_none_destroy_authorizer, |
| -- |
| 1.8.5.2 |
| |