| From: Tyler Hicks <tyhicks@canonical.com> |
| Date: Thu, 20 Jun 2013 13:13:59 -0700 |
| Subject: libceph: Fix NULL pointer dereference in auth client code |
| |
| commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream. |
| |
| A malicious monitor can craft an auth reply message that could cause a |
| NULL function pointer dereference in the client's kernel. |
| |
| To prevent this, the auth_none protocol handler needs an empty |
| ceph_auth_client_ops->build_request() function. |
| |
| CVE-2013-1059 |
| |
| Signed-off-by: Tyler Hicks <tyhicks@canonical.com> |
| Reported-by: Chanam Park <chanam.park@hkpco.kr> |
| Reviewed-by: Seth Arnold <seth.arnold@canonical.com> |
| Reviewed-by: Sage Weil <sage@inktank.com> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/ceph/auth_none.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/net/ceph/auth_none.c |
| +++ b/net/ceph/auth_none.c |
| @@ -39,6 +39,11 @@ static int should_authenticate(struct ce |
| return xi->starting; |
| } |
| |
| +static int build_request(struct ceph_auth_client *ac, void *buf, void *end) |
| +{ |
| + return 0; |
| +} |
| + |
| /* |
| * the generic auth code decode the global_id, and we carry no actual |
| * authenticate state, so nothing happens here. |
| @@ -107,6 +112,7 @@ static const struct ceph_auth_client_ops |
| .destroy = destroy, |
| .is_authenticated = is_authenticated, |
| .should_authenticate = should_authenticate, |
| + .build_request = build_request, |
| .handle_reply = handle_reply, |
| .create_authorizer = ceph_auth_none_create_authorizer, |
| .destroy_authorizer = ceph_auth_none_destroy_authorizer, |
