Commit e19cd00e authored by Marc-Christian Petersen's avatar Marc-Christian Petersen Committed by Greg Kroah-Hartman

[PATCH] USB: fix CAN-2004-0075

Okay, now while we are at fixing security holes, is there any chance we
can _finally_ get the attached patch in?

The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the
copy_from_user function when copying data from userspace to kernel space,
which crosses security boundaries and allows local users to cause a denial
of service.

Already ACKed by Greg. Only complaint was inproper coding style which is done
with attached patch ;)

ciao, Marc
parent 0862742d
...@@ -653,12 +653,18 @@ vicam_ioctl(struct inode *inode, struct file *file, unsigned int ioctlnr, unsign ...@@ -653,12 +653,18 @@ vicam_ioctl(struct inode *inode, struct file *file, unsigned int ioctlnr, unsign
case VIDIOCSWIN: case VIDIOCSWIN:
{ {
struct video_window *vw = (struct video_window *) arg; struct video_window vw;
DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
if ( vw->width != 320 || vw->height != 240 ) if (copy_from_user(&vw, arg, sizeof(vw))) {
retval = -EFAULT; retval = -EFAULT;
break;
}
DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
if ( vw.width != 320 || vw.height != 240 )
retval = -EFAULT;
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment