From: Michal Schmidt <xschmi00@stud.feec.vutbr.cz>
To: Greg KH <greg@kroah.com>
Cc: Marc-Christian Petersen <m.c.p@kernel.linux-systeme.com>,
linux-kernel@vger.kernel.org, Linus Torvalds <torvalds@osdl.org>,
Andrew Morton <akpm@osdl.org>
Subject: Re: [SECURITY] CAN-2004-0075
Date: Thu, 15 Apr 2004 12:04:27 +0200 [thread overview]
Message-ID: <407E5E2B.2020700@stud.feec.vutbr.cz> (raw)
In-Reply-To: <20040414212724.GA24809@kroah.com>
[-- Attachment #1: Type: text/plain, Size: 863 bytes --]
Greg KH wrote:
> On Wed, Apr 14, 2004 at 10:30:33PM +0200, Marc-Christian Petersen wrote:
>>Okay, now while we are at fixing security holes, is there any chance we
>>can _finally_ get the attached patch in?
>>
>>The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the
>>copy_from_user function when copying data from userspace to kernel space,
>>which crosses security boundaries and allows local users to cause a denial
>>of service.
>>
>>Already ACKed by Greg. Only complaint was inproper coding style which is done
>>with attached patch ;)
>
>
> Eeek, I thought this one was already in the tree, very sorry about that.
>
> I'm applying it now and will send it to Linus in a bit.
>
The patch broke compilation with VICAM_DEBUG on.
There is also another copy_from_user missing in case VIDIOCSPICT.
I'm attaching a patch.
Michal Schmidt
[-- Attachment #2: vicam-ioctl.diff --]
[-- Type: text/plain, Size: 1125 bytes --]
--- linux-2.6.6-rc1/drivers/usb/media/vicam.c 2004-04-15 11:18:18.000000000 +0200
+++ linux-2.6.6-rc1-mich/drivers/usb/media/vicam.c 2004-04-15 11:50:02.791604312 +0200
@@ -612,15 +612,20 @@ vicam_ioctl(struct inode *inode, struct
case VIDIOCSPICT:
{
- struct video_picture *vp = (struct video_picture *) arg;
-
- DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp->depth,
- vp->palette);
+ struct video_picture vp;
+
+ if (copy_from_user(&vp, arg, sizeof(vp))) {
+ retval = -EFAULT;
+ break;
+ }
+
+ DBG("VIDIOCSPICT depth = %d, pal = %d\n", vp.depth,
+ vp.palette);
- cam->gain = vp->brightness >> 8;
+ cam->gain = vp.brightness >> 8;
- if (vp->depth != 24
- || vp->palette != VIDEO_PALETTE_RGB24)
+ if (vp.depth != 24
+ || vp.palette != VIDEO_PALETTE_RGB24)
retval = -EINVAL;
break;
@@ -660,7 +665,7 @@ vicam_ioctl(struct inode *inode, struct
break;
}
- DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+ DBG("VIDIOCSWIN %d x %d\n", vw.width, vw.height);
if ( vw.width != 320 || vw.height != 240 )
retval = -EFAULT;
next prev parent reply other threads:[~2004-04-15 10:04 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-14 17:11 [SECURITY] CAN-2004-0109 isofs fix Dave Jones
2004-04-14 20:30 ` [SECURITY] CAN-2004-0075 (was: Re: [SECURITY] CAN-2004-0109 isofs fix.) Marc-Christian Petersen
2004-04-14 20:47 ` Dave Jones
2004-04-14 21:34 ` Marc-Christian Petersen
2004-04-14 21:27 ` Greg KH
2004-04-14 21:34 ` Marc-Christian Petersen
2004-04-15 10:04 ` Michal Schmidt [this message]
2004-04-14 23:35 ` [SECURITY] CAN-2004-0177 (was: Re: [SECURITY] CAN-2004-0075) Marc-Christian Petersen
2004-04-15 10:21 ` Stephen C. Tweedie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=407E5E2B.2020700@stud.feec.vutbr.cz \
--to=xschmi00@stud.feec.vutbr.cz \
--cc=akpm@osdl.org \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=m.c.p@kernel.linux-systeme.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.