[SECURITY] CAN-2004-0075 (was: Re: [SECURITY] CAN-2004-0109 isofs fix.)
From: Marc-Christian Petersen
Date: Wed Apr 14 2004 - 15:34:43 EST
On Wednesday 14 April 2004 19:11, Dave Jones wrote:
Hi,
> Merged in 2.4, and various vendor kernels today..
Okay, now while we are at fixing security holes, is there any chance we
can _finally_ get the attached patch in?
The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the
copy_from_user function when copying data from userspace to kernel space,
which crosses security boundaries and allows local users to cause a denial
of service.
Already ACKed by Greg. Only complaint was inproper coding style which is done
with attached patch ;)
ciao, Marc
diff -urN a/drivers/usb/media/vicam.c b/drivers/usb/media/vicam.c
--- a/drivers/usb/media/vicam.c 2003-11-28 10:26:20.000000000 +0100
+++ b/drivers/usb/media/vicam.c 2004-01-15 12:10:23.000000000 +0100
@@ -653,12 +653,18 @@
case VIDIOCSWIN:
{
- struct video_window *vw = (struct video_window *) arg;
- DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+ struct video_window vw;
- if ( vw->width != 320 || vw->height != 240 )
+ if (copy_from_user(&vw, arg, sizeof(vw))) {
retval = -EFAULT;
+ break;
+ }
+
+ DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+ if ( vw.width != 320 || vw.height != 240 )
+ retval = -EFAULT;
+
break;
}