Patchwork [1/1] can-bcm: fix minor heap overflow

login
register
mail settings
Submitter Andy Whitcroft
Date Jan. 31, 2011, 3:17 p.m.
Message ID <1296487078-13006-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/81123/
State Accepted
Commit 7c195ca10fbb7dba484c57a8a99f752c10abe0c7
Headers show

Comments

Andy Whitcroft - Jan. 31, 2011, 3:17 p.m.
From: Oliver Hartkopp <socketcan@hartkopp.net>

On 64-bit platforms the ASCII representation of a pointer may be up to 17
bytes long. This patch increases the length of the buffer accordingly.

http://marc.info/?l=linux-netdev&m=128872251418192&w=2

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
CC: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2010-3874
(cherry-picked from 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream)
BugLink: http://bugs.launchpad.net/bugs/710680
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 net/can/bcm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Tim Gardner - Jan. 31, 2011, 3:46 p.m.
On 01/31/2011 08:17 AM, Andy Whitcroft wrote:
> From: Oliver Hartkopp<socketcan@hartkopp.net>
>
> On 64-bit platforms the ASCII representation of a pointer may be up to 17
> bytes long. This patch increases the length of the buffer accordingly.
>
> http://marc.info/?l=linux-netdev&m=128872251418192&w=2
>
> Reported-by: Dan Rosenberg<drosenberg@vsecurity.com>
> Signed-off-by: Oliver Hartkopp<socketcan@hartkopp.net>
> CC: Linus Torvalds<torvalds@linux-foundation.org>
> Signed-off-by: David S. Miller<davem@davemloft.net>
>
> CVE-2010-3874
> (cherry-picked from 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream)
> BugLink: http://bugs.launchpad.net/bugs/710680
> Signed-off-by: Andy Whitcroft<apw@canonical.com>
> ---
>   net/can/bcm.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 6b26e6b..d84dfb9 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -123,7 +123,7 @@ struct bcm_sock {
>   	struct list_head tx_ops;
>   	unsigned long dropped_usr_msgs;
>   	struct proc_dir_entry *bcm_proc_read;
> -	char procname [9]; /* pointer printed in ASCII with \0 */
> +	char procname [20]; /* pointer printed in ASCII with \0 */
>   };
>
>   static inline struct bcm_sock *bcm_sk(const struct sock *sk)

Acked-by: Tim Gardner <tim.gardner@canonical.com>
Brad Figg - Feb. 1, 2011, 4 a.m.
On 01/31/2011 07:17 AM, Andy Whitcroft wrote:
> From: Oliver Hartkopp<socketcan@hartkopp.net>
>
> On 64-bit platforms the ASCII representation of a pointer may be up to 17
> bytes long. This patch increases the length of the buffer accordingly.
>
> http://marc.info/?l=linux-netdev&m=128872251418192&w=2
>
> Reported-by: Dan Rosenberg<drosenberg@vsecurity.com>
> Signed-off-by: Oliver Hartkopp<socketcan@hartkopp.net>
> CC: Linus Torvalds<torvalds@linux-foundation.org>
> Signed-off-by: David S. Miller<davem@davemloft.net>
>
> CVE-2010-3874
> (cherry-picked from 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream)
> BugLink: http://bugs.launchpad.net/bugs/710680
> Signed-off-by: Andy Whitcroft<apw@canonical.com>
> ---
>   net/can/bcm.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 6b26e6b..d84dfb9 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -123,7 +123,7 @@ struct bcm_sock {
>   	struct list_head tx_ops;
>   	unsigned long dropped_usr_msgs;
>   	struct proc_dir_entry *bcm_proc_read;
> -	char procname [9]; /* pointer printed in ASCII with \0 */
> +	char procname [20]; /* pointer printed in ASCII with \0 */
>   };
>
>   static inline struct bcm_sock *bcm_sk(const struct sock *sk)

Acked-by: Brad Figg <brad.figg@canonical.com>
Andy Whitcroft - Feb. 1, 2011, 11:49 a.m.
Applied to Karmic.

-apw

Patch

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 6b26e6b..d84dfb9 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -123,7 +123,7 @@  struct bcm_sock {
 	struct list_head tx_ops;
 	unsigned long dropped_usr_msgs;
 	struct proc_dir_entry *bcm_proc_read;
-	char procname [9]; /* pointer printed in ASCII with \0 */
+	char procname [20]; /* pointer printed in ASCII with \0 */
 };
 
 static inline struct bcm_sock *bcm_sk(const struct sock *sk)