From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
torvalds@linux-foundation.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
adlab@venustech.com.cn, kkeil@suse.de
Subject: [patch 10/36] I4L: fix isdn_ioctl memory overrun vulnerability
Date: Wed, 12 Dec 2007 22:34:29 -0800 [thread overview]
Message-ID: <20071213063429.GK25301@kroah.com> (raw)
In-Reply-To: <20071213063308.GA25301@kroah.com>
[-- Attachment #1: i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch --]
[-- Type: text/plain, Size: 1995 bytes --]
2.6.22-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Karsten Keil <kkeil@suse.de>
patch eafe1aa37e6ec2d56f14732b5240c4dd09f0613a in mainline.
Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB
<adlab@venustech.com.cn>
Signed-off-by: Karsten Keil <kkeil@suse.de>
Cc: ADLAB <adlab@venustech.com.cn>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/isdn/i4l/isdn_common.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/isdn/i4l/isdn_common.c
+++ b/drivers/isdn/i4l/isdn_common.c
@@ -1514,6 +1514,7 @@ isdn_ioctl(struct inode *inode, struct f
if (copy_from_user(&iocts, argp,
sizeof(isdn_ioctl_struct)))
return -EFAULT;
+ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
if (strlen(iocts.drvid)) {
if ((p = strchr(iocts.drvid, ',')))
*p = 0;
@@ -1598,6 +1599,7 @@ isdn_ioctl(struct inode *inode, struct f
if (copy_from_user(&iocts, argp,
sizeof(isdn_ioctl_struct)))
return -EFAULT;
+ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
if (strlen(iocts.drvid)) {
drvidx = -1;
for (i = 0; i < ISDN_MAX_DRIVERS; i++)
@@ -1642,7 +1644,7 @@ isdn_ioctl(struct inode *inode, struct f
} else {
p = (char __user *) iocts.arg;
for (i = 0; i < 10; i++) {
- sprintf(bname, "%s%s",
+ snprintf(bname, sizeof(bname), "%s%s",
strlen(dev->drv[drvidx]->msn2eaz[i]) ?
dev->drv[drvidx]->msn2eaz[i] : "_",
(i < 9) ? "," : "\0");
@@ -1672,6 +1674,7 @@ isdn_ioctl(struct inode *inode, struct f
char *p;
if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct)))
return -EFAULT;
+ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
if (strlen(iocts.drvid)) {
if ((p = strchr(iocts.drvid, ',')))
*p = 0;
--
next prev parent reply other threads:[~2007-12-13 6:41 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20071213062511.265908583@mini.kroah.org>
2007-12-13 6:33 ` [patch 00/36] 2.6.22-stable review Greg KH
2007-12-13 6:33 ` [patch 01/36] atl1: disable broken 64-bit DMA Greg KH
2007-12-13 6:33 ` [patch 02/36] rd: fix data corruption on memory pressure Future of Linux 2.6.22.y series Greg KH
2007-12-13 6:34 ` [patch 03/36] wait_task_stopped(): pass correct exit_code to wait_noreap_copyout() Greg KH
2007-12-13 6:34 ` [patch 04/36] USB: make the microtek driver and HAL cooperate Greg KH
2007-12-13 6:34 ` [patch 05/36] USB: fix up EHCI startup synchronization Greg KH
2007-12-13 6:34 ` [patch 06/36] tmpfs: restore missing clear_highpage Greg KH
2007-12-13 6:34 ` [patch 07/36] nf_nat: fix memset error Greg KH
2007-12-13 6:34 ` [patch 08/36] libcrc32c: keep intermediate crc state in cpu order Greg KH
2007-12-13 6:34 ` [patch 09/36] isdn: avoid copying overly-long strings Greg KH
2007-12-13 6:34 ` Greg KH [this message]
2007-12-13 6:34 ` [patch 11/36] hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966) Greg KH
2007-12-13 6:34 ` [patch 12/36] futex: fix for futex_wait signal stack corruption Greg KH
2007-12-13 6:34 ` [patch 13/36] forcedeth: new mcp79 pci ids Greg KH
2007-12-13 6:34 ` [patch 14/36] forcedeth boot delay fix Greg KH
2007-12-13 6:34 ` [patch 15/36] fb_ddc: fix DDC lines quirk Greg KH
2007-12-13 6:34 ` [patch 16/36] TCP: Problem bug with sysctl_tcp_congestion_control function Greg KH
2007-12-13 6:34 ` [patch 17/36] TCP: MTUprobe: fix potential sk_send_head corruption Greg KH
2007-12-13 6:34 ` [patch 18/36] PFKEY: Sending an SADB_GET responds with an SADB_GET Greg KH
2007-12-13 6:34 ` [patch 19/36] NET: Corrects a bug in ip_rt_acct_read() Greg KH
2007-12-13 6:34 ` [patch 20/36] IPV4: Remove bogus ifdef mess in arp_process Greg KH
2007-12-13 6:34 ` [patch 21/36] CRYPTO api: Fix potential race in crypto_remove_spawn Greg KH
2007-12-13 6:35 ` [patch 22/36] ATM: initialize lock and tasklet earlier Greg KH
2007-12-13 6:35 ` [patch 23/36] UNIX: EOF on non-blocking SOCK_SEQPACKET Greg KH
2007-12-13 6:35 ` [patch 24/36] TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure Greg KH
2007-12-13 6:35 ` [patch 25/36] TCP: illinois: Incorrect beta usage Greg KH
2007-12-13 6:35 ` [patch 26/36] RXRPC: Add missing select on CRYPTO Greg KH
2007-12-13 6:35 ` [patch 27/36] IPV6: Restore IPv6 when MTU is big enough Greg KH
2007-12-13 6:35 ` [patch 28/36] DECNET: dn_nl_deladdr() almost always returns no error Greg KH
2007-12-13 6:35 ` [patch 29/36] BRIDGE: Lost call to br_fdb_fini() in br_init() error path Greg KH
2007-12-13 6:35 ` [patch 30/36] knfsd: Validate filehandle type in fsid_source Greg KH
2007-12-13 6:35 ` [patch 31/36] Revert "Fix SMP poweroff hangs" Greg KH
2007-12-13 6:35 ` [patch 32/36] XFS: Make xfsbufd threads freezable Greg KH
2007-12-13 18:46 ` Fortier,Vincent [Montreal]
2007-12-13 19:07 ` Olivér Pintér
2007-12-13 19:16 ` Olivér Pintér
2007-12-14 0:34 ` Greg KH
2007-12-13 6:35 ` [patch 33/36] XFRM: Fix leak of expired xfrm_states Greg KH
2007-12-13 6:35 ` [patch 34/36] NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON Greg KH
2007-12-13 6:35 ` [patch 35/36] libata: kill spurious NCQ completion detection Greg KH
2007-12-13 6:35 ` [patch 36/36] BRIDGE: Properly dereference the br_should_route_hook Greg KH
2007-12-13 6:42 ` [stable] [patch 00/36] 2.6.22-stable review Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071213063429.GK25301@kroah.com \
--to=gregkh@suse.de \
--cc=adlab@venustech.com.cn \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=kkeil@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox