gdth: integer overflow in ioctl
On 02/02/2011 05:27 AM, Andy Whitcroft wrote:
Integer overflow in the ioc_general function in drivers/scsi/gdth.c
in the Linux kernel before 22.214.171.124 on 64-bit platforms allows
local users to cause a denial of service (memory corruption)
or possibly have unspecified other impact via a large argument
in an ioctl call.
This was fixed before Natty opened, and has already hit Maverick and
Lucid via the upstream stable process. The upstream fix cherry-picks
back to Karmic and Hardy unchanged. I have backported this fix to
Dapper as well; including checks for additional parameters from
userspace (which are validated in other ways in Hardy and later).
Two patches follow, one for Dapper, and a second for Hardy and Karmic.
Acked-by: Tim Gardner <email@example.com>
Tim Gardner firstname.lastname@example.org
kernel-team mailing list