Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   av7110: check for negative array offset, CVE-2011-0521 (http://www.linux-archive.org/ubuntu-kernel-team/516558-av7110-check-negative-array-offset-cve-2011-0521-a.html)

Leann Ogasawara 04-20-2011 08:23 PM

av7110: check for negative array offset, CVE-2011-0521
 
The following changes since commit a6abc5582f64808c74c4973590bc5cbf8d67cead:
Dan Rosenberg (1):
irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2011-0521

Dan Carpenter (1):
[media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

Leann Ogasawara 04-20-2011 08:23 PM

av7110: check for negative array offset, CVE-2011-0521
 
The following changes since commit 62419a42fd4f8a418e90ca0d474eae77c138152e:
Tim Gardner (1):
UBUNTU: [Config] remove generated files

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2011-0521

Dan Carpenter (1):
[media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

Brad Figg 04-20-2011 08:32 PM

av7110: check for negative array offset, CVE-2011-0521
 
On 04/20/2011 01:23 PM, Leann Ogasawara wrote:

The following changes since commit a6abc5582f64808c74c4973590bc5cbf8d67cead:
Dan Rosenberg (1):
irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2011-0521

Dan Carpenter (1):
[media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

From ab564569938b086bdc8fce1b189a757cd2683d1b Mon Sep 17 00:00:00 2001
From: Dan Carpenter<error27@gmail.com>
Date: Fri, 7 Jan 2011 16:41:54 -0300
Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

BugLink: http://bugs.launchpad.net/bugs/767526

CVE-2011-0521

info->num comes from the user. It's type int. If the user passes
in a negative value that would cause memory corruption.

Signed-off-by: Dan Carpenter<error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com>
(cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
index 6079e88..873895a 100644
--- a/drivers/media/dvb/ttpci/av7110_ca.c
+++ b/drivers/media/dvb/ttpci/av7110_ca.c
@@ -280,7 +280,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file,
{
ca_slot_info_t *info=(ca_slot_info_t *)parg;

- if (info->num> 1)
+ if (info->num< 0 || info->num> 1)
return -EINVAL;
av7110->ci_slot[info->num].num = info->num;
av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?


This is a perfect example of a bug that should not be classified as a CVE.

Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Brad Figg 04-20-2011 08:33 PM

av7110: check for negative array offset, CVE-2011-0521
 
On 04/20/2011 01:23 PM, Leann Ogasawara wrote:

The following changes since commit 62419a42fd4f8a418e90ca0d474eae77c138152e:
Tim Gardner (1):
UBUNTU: [Config] remove generated files

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2011-0521

Dan Carpenter (1):
[media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

From 28700f242783963aa5025036050fb3a2f50c51d1 Mon Sep 17 00:00:00 2001
From: Dan Carpenter<error27@gmail.com>
Date: Fri, 7 Jan 2011 16:41:54 -0300
Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

BugLink: http://bugs.launchpad.net/bugs/767526

CVE-2011-0521

info->num comes from the user. It's type int. If the user passes
in a negative value that would cause memory corruption.

Signed-off-by: Dan Carpenter<error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com>
(cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
index c58e3fc..1e89adc 100644
--- a/drivers/media/dvb/ttpci/av7110_ca.c
+++ b/drivers/media/dvb/ttpci/av7110_ca.c
@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file,
{
ca_slot_info_t *info=(ca_slot_info_t *)parg;

- if (info->num> 1)
+ if (info->num< 0 || info->num> 1)
return -EINVAL;
av7110->ci_slot[info->num].num = info->num;
av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?


Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Stefan Bader 04-21-2011 07:19 AM

av7110: check for negative array offset, CVE-2011-0521
 
On 04/20/2011 10:23 PM, Leann Ogasawara wrote:
> The following changes since commit a6abc5582f64808c74c4973590bc5cbf8d67cead:
> Dan Rosenberg (1):
> irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2011-0521
>
> Dan Carpenter (1):
> [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521
>
> drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> From ab564569938b086bdc8fce1b189a757cd2683d1b Mon Sep 17 00:00:00 2001
> From: Dan Carpenter <error27@gmail.com>
> Date: Fri, 7 Jan 2011 16:41:54 -0300
> Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521
>
> BugLink: http://bugs.launchpad.net/bugs/767526
>
> CVE-2011-0521
>
> info->num comes from the user. It's type int. If the user passes
> in a negative value that would cause memory corruption.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
> (cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644)
>
> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
> drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
> index 6079e88..873895a 100644
> --- a/drivers/media/dvb/ttpci/av7110_ca.c
> +++ b/drivers/media/dvb/ttpci/av7110_ca.c
> @@ -280,7 +280,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file,
> {
> ca_slot_info_t *info=(ca_slot_info_t *)parg;
>
> - if (info->num > 1)
> + if (info->num < 0 || info->num > 1)
> return -EINVAL;
> av7110->ci_slot[info->num].num = info->num;
> av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?

Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Stefan Bader 04-21-2011 07:19 AM

av7110: check for negative array offset, CVE-2011-0521
 
On 04/20/2011 10:23 PM, Leann Ogasawara wrote:
> The following changes since commit 62419a42fd4f8a418e90ca0d474eae77c138152e:
> Tim Gardner (1):
> UBUNTU: [Config] remove generated files
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2011-0521
>
> Dan Carpenter (1):
> [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521
>
> drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> From 28700f242783963aa5025036050fb3a2f50c51d1 Mon Sep 17 00:00:00 2001
> From: Dan Carpenter <error27@gmail.com>
> Date: Fri, 7 Jan 2011 16:41:54 -0300
> Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521
>
> BugLink: http://bugs.launchpad.net/bugs/767526
>
> CVE-2011-0521
>
> info->num comes from the user. It's type int. If the user passes
> in a negative value that would cause memory corruption.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
> (cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644)
>
> Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
> ---
> drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
> index c58e3fc..1e89adc 100644
> --- a/drivers/media/dvb/ttpci/av7110_ca.c
> +++ b/drivers/media/dvb/ttpci/av7110_ca.c
> @@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file,
> {
> ca_slot_info_t *info=(ca_slot_info_t *)parg;
>
> - if (info->num > 1)
> + if (info->num < 0 || info->num > 1)
> return -EINVAL;
> av7110->ci_slot[info->num].num = info->num;
> av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?

Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Tim Gardner 04-21-2011 12:47 PM

av7110: check for negative array offset, CVE-2011-0521
 
On 04/20/2011 02:23 PM, Leann Ogasawara wrote:

The following changes since commit 62419a42fd4f8a418e90ca0d474eae77c138152e:
Tim Gardner (1):
UBUNTU: [Config] remove generated files

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2011-0521

Dan Carpenter (1):
[media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

From 28700f242783963aa5025036050fb3a2f50c51d1 Mon Sep 17 00:00:00 2001
From: Dan Carpenter<error27@gmail.com>
Date: Fri, 7 Jan 2011 16:41:54 -0300
Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

BugLink: http://bugs.launchpad.net/bugs/767526

CVE-2011-0521

info->num comes from the user. It's type int. If the user passes
in a negative value that would cause memory corruption.

Signed-off-by: Dan Carpenter<error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com>
(cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
index c58e3fc..1e89adc 100644
--- a/drivers/media/dvb/ttpci/av7110_ca.c
+++ b/drivers/media/dvb/ttpci/av7110_ca.c
@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file,
{
ca_slot_info_t *info=(ca_slot_info_t *)parg;

- if (info->num> 1)
+ if (info->num< 0 || info->num> 1)
return -EINVAL;
av7110->ci_slot[info->num].num = info->num;
av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?


applied

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Tim Gardner 04-21-2011 12:50 PM

av7110: check for negative array offset, CVE-2011-0521
 
On 04/20/2011 02:23 PM, Leann Ogasawara wrote:

The following changes since commit a6abc5582f64808c74c4973590bc5cbf8d67cead:
Dan Rosenberg (1):
irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529

are available in the git repository at:

git://kernel.ubuntu.com/ogasawara/ubuntu-dapper.git CVE-2011-0521

Dan Carpenter (1):
[media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

From ab564569938b086bdc8fce1b189a757cd2683d1b Mon Sep 17 00:00:00 2001
From: Dan Carpenter<error27@gmail.com>
Date: Fri, 7 Jan 2011 16:41:54 -0300
Subject: [PATCH] [media] [v3,media] av7110: check for negative array offset, CVE-2011-0521

BugLink: http://bugs.launchpad.net/bugs/767526

CVE-2011-0521

info->num comes from the user. It's type int. If the user passes
in a negative value that would cause memory corruption.

Signed-off-by: Dan Carpenter<error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab<mchehab@redhat.com>
(cherry picked from commit cb26a24ee9706473f31d34cc259f4dcf45cd0644)

Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com>
---
drivers/media/dvb/ttpci/av7110_ca.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
index 6079e88..873895a 100644
--- a/drivers/media/dvb/ttpci/av7110_ca.c
+++ b/drivers/media/dvb/ttpci/av7110_ca.c
@@ -280,7 +280,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file,
{
ca_slot_info_t *info=(ca_slot_info_t *)parg;

- if (info->num> 1)
+ if (info->num< 0 || info->num> 1)
return -EINVAL;
av7110->ci_slot[info->num].num = info->num;
av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?


applied

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 07:34 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.