From: Marc-Christian Petersen <m.c.p@kernel.linux-systeme.com>
To: linux-kernel@vger.kernel.org
Cc: Linus Torvalds <torvalds@osdl.org>, Andrew Morton <akpm@osdl.org>,
greg@kroah.com
Subject: [SECURITY] CAN-2004-0075 (was: Re: [SECURITY] CAN-2004-0109 isofs fix.)
Date: Wed, 14 Apr 2004 22:30:33 +0200 [thread overview]
Message-ID: <200404142230.33553@WOLK> (raw)
In-Reply-To: <20040414171147.GB23419@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 578 bytes --]
On Wednesday 14 April 2004 19:11, Dave Jones wrote:
Hi,
> Merged in 2.4, and various vendor kernels today..
Okay, now while we are at fixing security holes, is there any chance we
can _finally_ get the attached patch in?
The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the
copy_from_user function when copying data from userspace to kernel space,
which crosses security boundaries and allows local users to cause a denial
of service.
Already ACKed by Greg. Only complaint was inproper coding style which is done
with attached patch ;)
ciao, Marc
[-- Attachment #2: 8009_CAN-2004-0075-usb-vicam.patch --]
[-- Type: text/x-diff, Size: 686 bytes --]
diff -urN a/drivers/usb/media/vicam.c b/drivers/usb/media/vicam.c
--- a/drivers/usb/media/vicam.c 2003-11-28 10:26:20.000000000 +0100
+++ b/drivers/usb/media/vicam.c 2004-01-15 12:10:23.000000000 +0100
@@ -653,12 +653,18 @@
case VIDIOCSWIN:
{
- struct video_window *vw = (struct video_window *) arg;
- DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+ struct video_window vw;
- if ( vw->width != 320 || vw->height != 240 )
+ if (copy_from_user(&vw, arg, sizeof(vw))) {
retval = -EFAULT;
+ break;
+ }
+
+ DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+ if ( vw.width != 320 || vw.height != 240 )
+ retval = -EFAULT;
+
break;
}
next prev parent reply other threads:[~2004-04-14 20:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-14 17:11 [SECURITY] CAN-2004-0109 isofs fix Dave Jones
2004-04-14 20:30 ` Marc-Christian Petersen [this message]
2004-04-14 20:47 ` [SECURITY] CAN-2004-0075 (was: Re: [SECURITY] CAN-2004-0109 isofs fix.) Dave Jones
2004-04-14 21:34 ` Marc-Christian Petersen
2004-04-14 21:27 ` Greg KH
2004-04-14 21:34 ` Marc-Christian Petersen
2004-04-15 10:04 ` [SECURITY] CAN-2004-0075 Michal Schmidt
2004-04-14 23:35 ` [SECURITY] CAN-2004-0177 (was: Re: [SECURITY] CAN-2004-0075) Marc-Christian Petersen
2004-04-15 10:21 ` Stephen C. Tweedie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200404142230.33553@WOLK \
--to=m.c.p@kernel.linux-systeme.com \
--cc=akpm@osdl.org \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox