Message ID | 1303503173.2050.31.camel@emiko |
---|---|
State | New |
Headers | show |
On 04/22/2011 01:12 PM, Leann Ogasawara wrote: > The following changes since commit a9db1134ee83026cf7ff4e192785c436d4573bad: > Steve Conklin (1): > UBUNTU: Ubuntu-2.6.24-29.89 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2011-0712 > > Takashi Iwai (1): > ALSA: caiaq - Fix possible string-buffer overflow, CVE-2011-0712 > > sound/usb/caiaq/caiaq-audio.c | 2 +- > sound/usb/caiaq/caiaq-device.c | 4 ++-- > sound/usb/caiaq/caiaq-midi.c | 2 +- > 3 files changed, 4 insertions(+), 4 deletions(-) > > From 211f02c1eadb3c00bc59a20fdf24e9ac8a026326 Mon Sep 17 00:00:00 2001 > From: Takashi Iwai<tiwai@suse.de> > Date: Mon, 14 Feb 2011 22:45:59 +0100 > Subject: [PATCH] ALSA: caiaq - Fix possible string-buffer overflow, CVE-2011-0712 > > BugLink: http://bugs.launchpad.net/bugs/768448 > > CVE-2011-0712 > > Use strlcpy() to assure not to overflow the string array sizes by > too long USB device name string. > > Reported-by: Rafa<rafa@mwrinfosecurity.com> > Cc: stable<stable@kernel.org> > Signed-off-by: Takashi Iwai<tiwai@suse.de> > (backported from upstream commit eaae55dac6b64c0616046436b294e69fc5311581) > > Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com> > --- > sound/usb/caiaq/caiaq-audio.c | 2 +- > sound/usb/caiaq/caiaq-device.c | 4 ++-- > sound/usb/caiaq/caiaq-midi.c | 2 +- > 3 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/sound/usb/caiaq/caiaq-audio.c b/sound/usb/caiaq/caiaq-audio.c > index 0666908..5e1aeac 100644 > --- a/sound/usb/caiaq/caiaq-audio.c > +++ b/sound/usb/caiaq/caiaq-audio.c > @@ -636,7 +636,7 @@ int __devinit snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *dev) > } > > dev->pcm->private_data = dev; > - strcpy(dev->pcm->name, dev->product_name); > + strlcpy(dev->pcm->name, dev->product_name, sizeof(dev->pcm->name)); > > memset(dev->sub_playback, 0, sizeof(dev->sub_playback)); > memset(dev->sub_capture, 0, sizeof(dev->sub_capture)); > diff --git a/sound/usb/caiaq/caiaq-device.c b/sound/usb/caiaq/caiaq-device.c > index 58af814..78b74c3 100644 > --- a/sound/usb/caiaq/caiaq-device.c > +++ b/sound/usb/caiaq/caiaq-device.c > @@ -361,8 +361,8 @@ static int init_card(struct snd_usb_caiaqdev *dev) > if (c) > *c = '\0'; > > - strcpy(card->driver, MODNAME); > - strcpy(card->shortname, dev->product_name); > + strlcpy(card->driver, MODNAME, sizeof(card->driver)); > + strlcpy(card->shortname, dev->product_name, sizeof(card->shortname)); > > len = snprintf(card->longname, sizeof(card->longname), > "%s %s (serial %s, ", > diff --git a/sound/usb/caiaq/caiaq-midi.c b/sound/usb/caiaq/caiaq-midi.c > index 793ca20..1c14ba9 100644 > --- a/sound/usb/caiaq/caiaq-midi.c > +++ b/sound/usb/caiaq/caiaq-midi.c > @@ -137,7 +137,7 @@ int __devinit snd_usb_caiaq_midi_init(struct snd_usb_caiaqdev *device) > if (ret< 0) > return ret; > > - strcpy(rmidi->name, device->product_name); > + strlcpy(rmidi->name, device->product_name, sizeof(rmidi->name)); > > rmidi->info_flags = SNDRV_RAWMIDI_INFO_DUPLEX; > rmidi->private_data = device; Acked-by: Brad Figg <brad.figg@canonical.com>
On 04/22/2011 02:12 PM, Leann Ogasawara wrote: > The following changes since commit a9db1134ee83026cf7ff4e192785c436d4573bad: > Steve Conklin (1): > UBUNTU: Ubuntu-2.6.24-29.89 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2011-0712 > > Takashi Iwai (1): > ALSA: caiaq - Fix possible string-buffer overflow, CVE-2011-0712 > > sound/usb/caiaq/caiaq-audio.c | 2 +- > sound/usb/caiaq/caiaq-device.c | 4 ++-- > sound/usb/caiaq/caiaq-midi.c | 2 +- > 3 files changed, 4 insertions(+), 4 deletions(-) > > From 211f02c1eadb3c00bc59a20fdf24e9ac8a026326 Mon Sep 17 00:00:00 2001 > From: Takashi Iwai<tiwai@suse.de> > Date: Mon, 14 Feb 2011 22:45:59 +0100 > Subject: [PATCH] ALSA: caiaq - Fix possible string-buffer overflow, CVE-2011-0712 > > BugLink: http://bugs.launchpad.net/bugs/768448 > > CVE-2011-0712 > > Use strlcpy() to assure not to overflow the string array sizes by > too long USB device name string. > > Reported-by: Rafa<rafa@mwrinfosecurity.com> > Cc: stable<stable@kernel.org> > Signed-off-by: Takashi Iwai<tiwai@suse.de> > (backported from upstream commit eaae55dac6b64c0616046436b294e69fc5311581) > > Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com> > --- > sound/usb/caiaq/caiaq-audio.c | 2 +- > sound/usb/caiaq/caiaq-device.c | 4 ++-- > sound/usb/caiaq/caiaq-midi.c | 2 +- > 3 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/sound/usb/caiaq/caiaq-audio.c b/sound/usb/caiaq/caiaq-audio.c > index 0666908..5e1aeac 100644 > --- a/sound/usb/caiaq/caiaq-audio.c > +++ b/sound/usb/caiaq/caiaq-audio.c > @@ -636,7 +636,7 @@ int __devinit snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *dev) > } > > dev->pcm->private_data = dev; > - strcpy(dev->pcm->name, dev->product_name); > + strlcpy(dev->pcm->name, dev->product_name, sizeof(dev->pcm->name)); > > memset(dev->sub_playback, 0, sizeof(dev->sub_playback)); > memset(dev->sub_capture, 0, sizeof(dev->sub_capture)); > diff --git a/sound/usb/caiaq/caiaq-device.c b/sound/usb/caiaq/caiaq-device.c > index 58af814..78b74c3 100644 > --- a/sound/usb/caiaq/caiaq-device.c > +++ b/sound/usb/caiaq/caiaq-device.c > @@ -361,8 +361,8 @@ static int init_card(struct snd_usb_caiaqdev *dev) > if (c) > *c = '\0'; > > - strcpy(card->driver, MODNAME); > - strcpy(card->shortname, dev->product_name); > + strlcpy(card->driver, MODNAME, sizeof(card->driver)); > + strlcpy(card->shortname, dev->product_name, sizeof(card->shortname)); > > len = snprintf(card->longname, sizeof(card->longname), > "%s %s (serial %s, ", > diff --git a/sound/usb/caiaq/caiaq-midi.c b/sound/usb/caiaq/caiaq-midi.c > index 793ca20..1c14ba9 100644 > --- a/sound/usb/caiaq/caiaq-midi.c > +++ b/sound/usb/caiaq/caiaq-midi.c > @@ -137,7 +137,7 @@ int __devinit snd_usb_caiaq_midi_init(struct snd_usb_caiaqdev *device) > if (ret< 0) > return ret; > > - strcpy(rmidi->name, device->product_name); > + strlcpy(rmidi->name, device->product_name, sizeof(rmidi->name)); > > rmidi->info_flags = SNDRV_RAWMIDI_INFO_DUPLEX; > rmidi->private_data = device; Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 04/22/2011 02:12 PM, Leann Ogasawara wrote: > git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2011-0712 > applied
diff --git a/sound/usb/caiaq/caiaq-audio.c b/sound/usb/caiaq/caiaq-audio.c index 0666908..5e1aeac 100644 --- a/sound/usb/caiaq/caiaq-audio.c +++ b/sound/usb/caiaq/caiaq-audio.c @@ -636,7 +636,7 @@ int __devinit snd_usb_caiaq_audio_init(struct snd_usb_caiaqdev *dev) } dev->pcm->private_data = dev; - strcpy(dev->pcm->name, dev->product_name); + strlcpy(dev->pcm->name, dev->product_name, sizeof(dev->pcm->name)); memset(dev->sub_playback, 0, sizeof(dev->sub_playback)); memset(dev->sub_capture, 0, sizeof(dev->sub_capture)); diff --git a/sound/usb/caiaq/caiaq-device.c b/sound/usb/caiaq/caiaq-device.c index 58af814..78b74c3 100644 --- a/sound/usb/caiaq/caiaq-device.c +++ b/sound/usb/caiaq/caiaq-device.c @@ -361,8 +361,8 @@ static int init_card(struct snd_usb_caiaqdev *dev) if (c) *c = '\0'; - strcpy(card->driver, MODNAME); - strcpy(card->shortname, dev->product_name); + strlcpy(card->driver, MODNAME, sizeof(card->driver)); + strlcpy(card->shortname, dev->product_name, sizeof(card->shortname)); len = snprintf(card->longname, sizeof(card->longname), "%s %s (serial %s, ", diff --git a/sound/usb/caiaq/caiaq-midi.c b/sound/usb/caiaq/caiaq-midi.c index 793ca20..1c14ba9 100644 --- a/sound/usb/caiaq/caiaq-midi.c +++ b/sound/usb/caiaq/caiaq-midi.c @@ -137,7 +137,7 @@ int __devinit snd_usb_caiaq_midi_init(struct snd_usb_caiaqdev *device) if (ret < 0) return ret; - strcpy(rmidi->name, device->product_name); + strlcpy(rmidi->name, device->product_name, sizeof(rmidi->name)); rmidi->info_flags = SNDRV_RAWMIDI_INFO_DUPLEX; rmidi->private_data = device;