[v2.6] CVE-2013-2164 Linux Kernel - Leak information in cdrom driver
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a
memory
area with kmalloc in line 2885.
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
2886 if (cgc->buffer == NULL)
2887 return -ENOMEM;
In line 2908 we can find the copy_to_user function:
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
The cgc->buffer is never cleaned and initialized before this
function. If
ret = 0 with the previous basic block, it’s possible to display some
memory bytes in kernel space from userspace.
When we read a block from the disk it normally fills the ->buffer but
if
the drive is malfunctioning there is a chance that it would only be
partially filled. The result is an leak information to userspace.
(from redmine: issue id 2078, created on 2013-06-10, closed on 2013-07-02)
- Relations:
- parent #2077 (closed)
- Changesets:
- Revision f535ac0d by Natanael Copa on 2013-06-19T08:38:19Z:
main/linux-grsec: upgrade to 3.9.5
(cherry picked from commit 26c4e189e825d62d0249fb5f499bcb545d40e1ab)
fixes #2078
- Revision bcbc4590 by Natanael Copa on 2013-06-19T08:38:20Z:
main/linux-grsec: upgrade to 3.9.6 and fix CVE-2013-2851
fixes #2078
fixes #2089
fixes #2094
(cherry picked from commit b52eb6193eb9c18980886ff25d2e4e41dd887078)