Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   usb: iowarrior: don't trust report_size for buffer size, CVE-2010-4656 (http://www.linux-archive.org/ubuntu-kernel-team/518831-usb-iowarrior-dont-trust-report_size-buffer-size-cve-2010-4656-a.html)

Brad Figg 04-26-2011 10:00 PM

usb: iowarrior: don't trust report_size for buffer size, CVE-2010-4656
 
From: Kees Cook <kees.cook@canonical.com>

CVE-2010-4656

BugLink: http://bugs.launchpad.net/bugs/711484

If the iowarrior devices in this case statement support more than 8 bytes
per report, it is possible to write past the end of a kernel heap allocation.
This will probably never be possible, but change the allocation to be more
defensive anyway.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

(cherry-pick of commit 3ed780117dbe5acb64280d218f0347f238dafed0)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
---
drivers/usb/misc/iowarrior.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index bc88c79..8ed8d05 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
case USB_DEVICE_ID_CODEMERCS_IOWPV2:
case USB_DEVICE_ID_CODEMERCS_IOW40:
/* IOW24 and IOW40 use a synchronous call */
- buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
+ buf = kmalloc(count, GFP_KERNEL);
if (!buf) {
retval = -ENOMEM;
goto exit;
--
1.7.0.4


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

John Johansen 04-27-2011 08:10 AM

usb: iowarrior: don't trust report_size for buffer size, CVE-2010-4656
 
On 04/26/2011 03:00 PM, Brad Figg wrote:
> From: Kees Cook <kees.cook@canonical.com>
>
> CVE-2010-4656
>
> BugLink: http://bugs.launchpad.net/bugs/711484
>
> If the iowarrior devices in this case statement support more than 8 bytes
> per report, it is possible to write past the end of a kernel heap allocation.
> This will probably never be possible, but change the allocation to be more
> defensive anyway.
>
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> (cherry-pick of commit 3ed780117dbe5acb64280d218f0347f238dafed0)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>

Acked-by: John Johansen <john.johansen@canonical.com>


> ---
> drivers/usb/misc/iowarrior.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
> index bc88c79..8ed8d05 100644
> --- a/drivers/usb/misc/iowarrior.c
> +++ b/drivers/usb/misc/iowarrior.c
> @@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
> case USB_DEVICE_ID_CODEMERCS_IOWPV2:
> case USB_DEVICE_ID_CODEMERCS_IOW40:
> /* IOW24 and IOW40 use a synchronous call */
> - buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
> + buf = kmalloc(count, GFP_KERNEL);
> if (!buf) {
> retval = -ENOMEM;
> goto exit;


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Stefan Bader 04-27-2011 11:17 AM

usb: iowarrior: don't trust report_size for buffer size, CVE-2010-4656
 
On 04/27/2011 12:00 AM, Brad Figg wrote:
> From: Kees Cook <kees.cook@canonical.com>
>
> CVE-2010-4656
>
> BugLink: http://bugs.launchpad.net/bugs/711484
>
> If the iowarrior devices in this case statement support more than 8 bytes
> per report, it is possible to write past the end of a kernel heap allocation.
> This will probably never be possible, but change the allocation to be more
> defensive anyway.
>
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> (cherry-pick of commit 3ed780117dbe5acb64280d218f0347f238dafed0)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
> ---
> drivers/usb/misc/iowarrior.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
> index bc88c79..8ed8d05 100644
> --- a/drivers/usb/misc/iowarrior.c
> +++ b/drivers/usb/misc/iowarrior.c
> @@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
> case USB_DEVICE_ID_CODEMERCS_IOWPV2:
> case USB_DEVICE_ID_CODEMERCS_IOW40:
> /* IOW24 and IOW40 use a synchronous call */
> - buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
> + buf = kmalloc(count, GFP_KERNEL);
> if (!buf) {
> retval = -ENOMEM;
> goto exit;
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

Tim Gardner 04-27-2011 01:53 PM

usb: iowarrior: don't trust report_size for buffer size, CVE-2010-4656
 
applied
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 02:36 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.