CVE-2011-0521: av7110 negative array offset
This commit is contained in:
parent
8cb12224b9
commit
f4a2bd612d
|
@ -741,6 +741,8 @@ Patch2906: linux-2.6-v4l-dvb-uvcvideo-update.patch
|
|||
|
||||
Patch2910: linux-2.6-v4l-dvb-add-lgdt3304-support.patch
|
||||
Patch2911: linux-2.6-v4l-dvb-add-kworld-a340-support.patch
|
||||
# CVE-2011-0521
|
||||
Patch2912: linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
|
||||
|
||||
# fs fixes
|
||||
|
||||
|
@ -1564,6 +1566,8 @@ ApplyPatch linux-2.6-v4l-dvb-uvcvideo-update.patch
|
|||
|
||||
ApplyPatch linux-2.6-v4l-dvb-add-lgdt3304-support.patch
|
||||
ApplyPatch linux-2.6-v4l-dvb-add-kworld-a340-support.patch
|
||||
# CVE-2011-0521
|
||||
ApplyPatch linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
|
||||
|
||||
ApplyPatch linux-2.6-phylib-autoload.patch
|
||||
|
||||
|
@ -2423,6 +2427,7 @@ fi
|
|||
* Wed Jan 26 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- TCP networking fixes from 2.6.36.3, including one CVE
|
||||
CVE-2010-4165: possible kernel oops from user MSS
|
||||
- CVE-2011-0521: av7110 negative array offset
|
||||
|
||||
* Sat Jan 22 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- Security updates
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
From: Dan Carpenter <error27@gmail.com>
|
||||
Date: Fri, 7 Jan 2011 19:41:54 +0000 (-0300)
|
||||
Subject: [media] [v3,media] av7110: check for negative array offset
|
||||
X-Git-Tag: v2.6.38-rc2~1^2~31
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644
|
||||
|
||||
[media] [v3,media] av7110: check for negative array offset
|
||||
|
||||
info->num comes from the user. It's type int. If the user passes
|
||||
in a negative value that would cause memory corruption.
|
||||
|
||||
Signed-off-by: Dan Carpenter <error27@gmail.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
|
||||
---
|
||||
|
||||
diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
|
||||
index 122c728..9fc1dd0 100644
|
||||
--- a/drivers/media/dvb/ttpci/av7110_ca.c
|
||||
+++ b/drivers/media/dvb/ttpci/av7110_ca.c
|
||||
@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
|
||||
{
|
||||
ca_slot_info_t *info=(ca_slot_info_t *)parg;
|
||||
|
||||
- if (info->num > 1)
|
||||
+ if (info->num < 0 || info->num > 1)
|
||||
return -EINVAL;
|
||||
av7110->ci_slot[info->num].num = info->num;
|
||||
av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
|
Loading…
Reference in New Issue