rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

CVE-2011-0521: av7110 negative array offset

This commit is contained in:
Chuck Ebbert 2011-01-26 12:20:30 -05:00
parent 8cb12224b9
commit f4a2bd612d
2 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
kernel.spec
View File

@ -741,6 +741,8 @@ Patch2906: linux-2.6-v4l-dvb-uvcvideo-update.patch
Patch2910: linux-2.6-v4l-dvb-add-lgdt3304-support.patch
Patch2911: linux-2.6-v4l-dvb-add-kworld-a340-support.patch
# CVE-2011-0521
Patch2912: linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
# fs fixes
@ -1564,6 +1566,8 @@ ApplyPatch linux-2.6-v4l-dvb-uvcvideo-update.patch
ApplyPatch linux-2.6-v4l-dvb-add-lgdt3304-support.patch
ApplyPatch linux-2.6-v4l-dvb-add-kworld-a340-support.patch
# CVE-2011-0521
ApplyPatch linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
ApplyPatch linux-2.6-phylib-autoload.patch
@ -2423,6 +2427,7 @@ fi
* Wed Jan 26 2011 Chuck Ebbert <cebbert@redhat.com>
- TCP networking fixes from 2.6.36.3, including one CVE
CVE-2010-4165: possible kernel oops from user MSS
- CVE-2011-0521: av7110 negative array offset
* Sat Jan 22 2011 Chuck Ebbert <cebbert@redhat.com>
- Security updates

28
linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch Normal file
View File

@ -0,0 +1,28 @@
From: Dan Carpenter <error27@gmail.com>
Date: Fri, 7 Jan 2011 19:41:54 +0000 (-0300)
Subject: [media] [v3,media] av7110: check for negative array offset
X-Git-Tag: v2.6.38-rc2~1^2~31
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644
[media] [v3,media] av7110: check for negative array offset
info->num comes from the user. It's type int. If the user passes
in a negative value that would cause memory corruption.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
index 122c728..9fc1dd0 100644
--- a/drivers/media/dvb/ttpci/av7110_ca.c
+++ b/drivers/media/dvb/ttpci/av7110_ca.c
@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
{
ca_slot_info_t *info=(ca_slot_info_t *)parg;
- if (info->num > 1)
+ if (info->num < 0 || info->num > 1)
return -EINVAL;
av7110->ci_slot[info->num].num = info->num;
av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?