[kernel/f13/master] CVE-2011-0521: av7110 negative array offset
Chuck Ebbert
cebbert at fedoraproject.org
Wed Jan 26 17:21:18 UTC 2011
commit f4a2bd612d85dcdf76b30963cf55e2c1e31b8b4c
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Wed Jan 26 12:20:30 2011 -0500
CVE-2011-0521: av7110 negative array offset
kernel.spec | 5 +++
...vb-av7110-check-for-negative-array-offset.patch | 28 ++++++++++++++++++++
2 files changed, 33 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 52d174b..393ce66 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -741,6 +741,8 @@ Patch2906: linux-2.6-v4l-dvb-uvcvideo-update.patch
Patch2910: linux-2.6-v4l-dvb-add-lgdt3304-support.patch
Patch2911: linux-2.6-v4l-dvb-add-kworld-a340-support.patch
+# CVE-2011-0521
+Patch2912: linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
# fs fixes
@@ -1564,6 +1566,8 @@ ApplyPatch linux-2.6-v4l-dvb-uvcvideo-update.patch
ApplyPatch linux-2.6-v4l-dvb-add-lgdt3304-support.patch
ApplyPatch linux-2.6-v4l-dvb-add-kworld-a340-support.patch
+# CVE-2011-0521
+ApplyPatch linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
ApplyPatch linux-2.6-phylib-autoload.patch
@@ -2423,6 +2427,7 @@ fi
* Wed Jan 26 2011 Chuck Ebbert <cebbert at redhat.com>
- TCP networking fixes from 2.6.36.3, including one CVE
CVE-2010-4165: possible kernel oops from user MSS
+- CVE-2011-0521: av7110 negative array offset
* Sat Jan 22 2011 Chuck Ebbert <cebbert at redhat.com>
- Security updates
diff --git a/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch b/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
new file mode 100644
index 0000000..8d58eb9
--- /dev/null
+++ b/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
@@ -0,0 +1,28 @@
+From: Dan Carpenter <error27 at gmail.com>
+Date: Fri, 7 Jan 2011 19:41:54 +0000 (-0300)
+Subject: [media] [v3,media] av7110: check for negative array offset
+X-Git-Tag: v2.6.38-rc2~1^2~31
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644
+
+[media] [v3,media] av7110: check for negative array offset
+
+info->num comes from the user. It's type int. If the user passes
+in a negative value that would cause memory corruption.
+
+Signed-off-by: Dan Carpenter <error27 at gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+---
+
+diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
+index 122c728..9fc1dd0 100644
+--- a/drivers/media/dvb/ttpci/av7110_ca.c
++++ b/drivers/media/dvb/ttpci/av7110_ca.c
+@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
+ {
+ ca_slot_info_t *info=(ca_slot_info_t *)parg;
+
+- if (info->num > 1)
++ if (info->num < 0 || info->num > 1)
+ return -EINVAL;
+ av7110->ci_slot[info->num].num = info->num;
+ av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
More information about the scm-commits
mailing list