[kernel/f13/master] CVE-2011-0521: av7110 negative array offset

Chuck Ebbert cebbert at fedoraproject.org
Wed Jan 26 17:21:18 UTC 2011


commit f4a2bd612d85dcdf76b30963cf55e2c1e31b8b4c
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Wed Jan 26 12:20:30 2011 -0500

    CVE-2011-0521: av7110 negative array offset

 kernel.spec                                        |    5 +++
 ...vb-av7110-check-for-negative-array-offset.patch |   28 ++++++++++++++++++++
 2 files changed, 33 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 52d174b..393ce66 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -741,6 +741,8 @@ Patch2906: linux-2.6-v4l-dvb-uvcvideo-update.patch
 
 Patch2910: linux-2.6-v4l-dvb-add-lgdt3304-support.patch
 Patch2911: linux-2.6-v4l-dvb-add-kworld-a340-support.patch
+# CVE-2011-0521
+Patch2912: linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
 
 # fs fixes
 
@@ -1564,6 +1566,8 @@ ApplyPatch linux-2.6-v4l-dvb-uvcvideo-update.patch
 
 ApplyPatch linux-2.6-v4l-dvb-add-lgdt3304-support.patch
 ApplyPatch linux-2.6-v4l-dvb-add-kworld-a340-support.patch
+# CVE-2011-0521
+ApplyPatch linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
 
 ApplyPatch linux-2.6-phylib-autoload.patch
 
@@ -2423,6 +2427,7 @@ fi
 * Wed Jan 26 2011 Chuck Ebbert <cebbert at redhat.com>
 - TCP networking fixes from 2.6.36.3, including one CVE
   CVE-2010-4165: possible kernel oops from user MSS
+- CVE-2011-0521: av7110 negative array offset
 
 * Sat Jan 22 2011 Chuck Ebbert <cebbert at redhat.com>
 - Security updates
diff --git a/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch b/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
new file mode 100644
index 0000000..8d58eb9
--- /dev/null
+++ b/linux-2.6-v4l-dvb-av7110-check-for-negative-array-offset.patch
@@ -0,0 +1,28 @@
+From: Dan Carpenter <error27 at gmail.com>
+Date: Fri, 7 Jan 2011 19:41:54 +0000 (-0300)
+Subject: [media] [v3,media] av7110: check for negative array offset
+X-Git-Tag: v2.6.38-rc2~1^2~31
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644
+
+[media] [v3,media] av7110: check for negative array offset
+
+info->num comes from the user.  It's type int.  If the user passes
+in a negative value that would cause memory corruption.
+
+Signed-off-by: Dan Carpenter <error27 at gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+---
+
+diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
+index 122c728..9fc1dd0 100644
+--- a/drivers/media/dvb/ttpci/av7110_ca.c
++++ b/drivers/media/dvb/ttpci/av7110_ca.c
+@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
+ 	{
+ 		ca_slot_info_t *info=(ca_slot_info_t *)parg;
+ 
+-		if (info->num > 1)
++		if (info->num < 0 || info->num > 1)
+ 			return -EINVAL;
+ 		av7110->ci_slot[info->num].num = info->num;
+ 		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?


More information about the scm-commits mailing list