[Hardy] [CVE-2010-4656] [PATCH 1/1] usb: iowarrior: don't trust report_size for buffer size, CVE-2010-4656
Stefan Bader
stefan.bader at canonical.com
Wed Apr 27 11:17:41 UTC 2011
On 04/27/2011 12:00 AM, Brad Figg wrote:
> From: Kees Cook <kees.cook at canonical.com>
>
> CVE-2010-4656
>
> BugLink: http://bugs.launchpad.net/bugs/711484
>
> If the iowarrior devices in this case statement support more than 8 bytes
> per report, it is possible to write past the end of a kernel heap allocation.
> This will probably never be possible, but change the allocation to be more
> defensive anyway.
>
> Signed-off-by: Kees Cook <kees.cook at canonical.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
>
> (cherry-pick of commit 3ed780117dbe5acb64280d218f0347f238dafed0)
> Signed-off-by: Brad Figg <brad.figg at canonical.com>
> ---
> drivers/usb/misc/iowarrior.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
> index bc88c79..8ed8d05 100644
> --- a/drivers/usb/misc/iowarrior.c
> +++ b/drivers/usb/misc/iowarrior.c
> @@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
> case USB_DEVICE_ID_CODEMERCS_IOWPV2:
> case USB_DEVICE_ID_CODEMERCS_IOW40:
> /* IOW24 and IOW40 use a synchronous call */
> - buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
> + buf = kmalloc(count, GFP_KERNEL);
> if (!buf) {
> retval = -ENOMEM;
> goto exit;
Acked-by: Stefan Bader <stefan.bader at canonical.com>
More information about the kernel-team
mailing list