Message ID | 1303330985.2050.9.camel@emiko |
---|---|
State | New |
Headers | show |
On 04/20/2011 01:23 PM, Leann Ogasawara wrote: > The following changes since commit a6abc5582f64808c74c4973590bc5cbf8d67cead: > Dan Rosenberg (1): > irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2011-0521 > > Dan Carpenter (1): > [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521 > > drivers/media/dvb/ttpci/av7110_ca.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > From ab564569938b086bdc8fce1b189a757cd2683d1b Mon Sep 17 00:00:00 2001 > From: Dan Carpenter<error27@gmail.com> > Date: Fri, 7 Jan 2011 16:41:54 -0300 > Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521 > > BugLink: http://bugs.launchpad.net/bugs/767526 > > CVE-2011-0521 > > info->num comes from the user. It's type int. If the user passes > in a negative value that would cause memory corruption. > > Signed-off-by: Dan Carpenter<error27@gmail.com> > Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com> > (cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644) > > Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com> > --- > drivers/media/dvb/ttpci/av7110_ca.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c > index 6079e88..873895a 100644 > --- a/drivers/media/dvb/ttpci/av7110_ca.c > +++ b/drivers/media/dvb/ttpci/av7110_ca.c > @@ -280,7 +280,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file, > { > ca_slot_info_t *info=(ca_slot_info_t *)parg; > > - if (info->num> 1) > + if (info->num< 0 || info->num> 1) > return -EINVAL; > av7110->ci_slot[info->num].num = info->num; > av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? This is a perfect example of a bug that should not be classified as a CVE. Acked-by: Brad Figg <brad.figg@canonical.com>
On 04/20/2011 10:23 PM, Leann Ogasawara wrote: > The following changes since commit a6abc5582f64808c74c4973590bc5cbf8d67cead: > Dan Rosenberg (1): > irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2011-0521 > > Dan Carpenter (1): > [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521 > > drivers/media/dvb/ttpci/av7110_ca.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > From ab564569938b086bdc8fce1b189a757cd2683d1b Mon Sep 17 00:00:00 2001 > From: Dan Carpenter <error27@gmail.com> > Date: Fri, 7 Jan 2011 16:41:54 -0300 > Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521 > > BugLink: http://bugs.launchpad.net/bugs/767526 > > CVE-2011-0521 > > info->num comes from the user. It's type int. If the user passes > in a negative value that would cause memory corruption. > > Signed-off-by: Dan Carpenter <error27@gmail.com> > Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> > (cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644) > > Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > drivers/media/dvb/ttpci/av7110_ca.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c > index 6079e88..873895a 100644 > --- a/drivers/media/dvb/ttpci/av7110_ca.c > +++ b/drivers/media/dvb/ttpci/av7110_ca.c > @@ -280,7 +280,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file, > { > ca_slot_info_t *info=(ca_slot_info_t *)parg; > > - if (info->num > 1) > + if (info->num < 0 || info->num > 1) > return -EINVAL; > av7110->ci_slot[info->num].num = info->num; > av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 04/20/2011 02:23 PM, Leann Ogasawara wrote: > The following changes since commit a6abc5582f64808c74c4973590bc5cbf8d67cead: > Dan Rosenberg (1): > irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2011-0521 > > Dan Carpenter (1): > [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521 > > drivers/media/dvb/ttpci/av7110_ca.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > From ab564569938b086bdc8fce1b189a757cd2683d1b Mon Sep 17 00:00:00 2001 > From: Dan Carpenter<error27@gmail.com> > Date: Fri, 7 Jan 2011 16:41:54 -0300 > Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521 > > BugLink: http://bugs.launchpad.net/bugs/767526 > > CVE-2011-0521 > > info->num comes from the user. It's type int. If the user passes > in a negative value that would cause memory corruption. > > Signed-off-by: Dan Carpenter<error27@gmail.com> > Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com> > (cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644) > > Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com> > --- > drivers/media/dvb/ttpci/av7110_ca.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c > index 6079e88..873895a 100644 > --- a/drivers/media/dvb/ttpci/av7110_ca.c > +++ b/drivers/media/dvb/ttpci/av7110_ca.c > @@ -280,7 +280,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file, > { > ca_slot_info_t *info=(ca_slot_info_t *)parg; > > - if (info->num> 1) > + if (info->num< 0 || info->num> 1) > return -EINVAL; > av7110->ci_slot[info->num].num = info->num; > av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ? applied
diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c index 6079e88..873895a 100644 --- a/drivers/media/dvb/ttpci/av7110_ca.c +++ b/drivers/media/dvb/ttpci/av7110_ca.c @@ -280,7 +280,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file, { ca_slot_info_t *info=(ca_slot_info_t *)parg; - if (info->num > 1) + if (info->num < 0 || info->num > 1) return -EINVAL; av7110->ci_slot[info->num].num = info->num; av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?