[CVE-2010-4157] gdth: integer overflow in ioctl
apw at canonical.com
Wed Feb 2 12:27:31 UTC 2011
Integer overflow in the ioc_general function in drivers/scsi/gdth.c
in the Linux kernel before 184.108.40.206 on 64-bit platforms allows
local users to cause a denial of service (memory corruption)
or possibly have unspecified other impact via a large argument
in an ioctl call.
This was fixed before Natty opened, and has already hit Maverick and
Lucid via the upstream stable process. The upstream fix cherry-picks
back to Karmic and Hardy unchanged. I have backported this fix to
Dapper as well; including checks for additional parameters from
userspace (which are validated in other ways in Hardy and later).
Two patches follow, one for Dapper, and a second for Hardy and Karmic.
More information about the kernel-team