[kernel] r16851 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Tue Jan 25 05:40:46 UTC 2011

Author: dannf
Date: Tue Jan 25 05:40:44 2011
New Revision: 16851

Log:
av7110: check for negative array offset (CVE-2011-0521)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jan 24 03:31:32 2011	(r16850)
+++ dists/lenny-security/linux-2.6/debian/changelog	Tue Jan 25 05:40:44 2011	(r16851)
@@ -23,6 +23,7 @@
   * IB/uverbs: Handle large number of entries in poll CQ (CVE-2010-4649)
   * block: check for proper length of iov entries earlier in
     blk_rq_map_user_iov() (CVE-2010-4668)
+  * av7110: check for negative array offset (CVE-2011-0521)
 
   [ Moritz Muehlenhoff ]
   * blkback/blktap/netback: Fix CVE-2010-3699 	

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch	Tue Jan 25 05:40:44 2011	(r16851)
@@ -0,0 +1,25 @@
+commit cb26a24ee9706473f31d34cc259f4dcf45cd0644
+Author: Dan Carpenter <error27 at gmail.com>
+Date:   Fri Jan 7 16:41:54 2011 -0300
+
+    [media] [v3,media] av7110: check for negative array offset
+    
+    info->num comes from the user.  It's type int.  If the user passes
+    in a negative value that would cause memory corruption.
+    
+    Signed-off-by: Dan Carpenter <error27 at gmail.com>
+    Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+
+diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
+index 122c728..9fc1dd0 100644
+--- a/drivers/media/dvb/ttpci/av7110_ca.c
++++ b/drivers/media/dvb/ttpci/av7110_ca.c
+@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
+ 	{
+ 		ca_slot_info_t *info=(ca_slot_info_t *)parg;
+ 
+-		if (info->num > 1)
++		if (info->num < 0 || info->num > 1)
+ 			return -EINVAL;
+ 		av7110->ci_slot[info->num].num = info->num;
+ 		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Mon Jan 24 03:31:32 2011	(r16850)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny2	Tue Jan 25 05:40:44 2011	(r16851)
@@ -19,3 +19,4 @@
 + bugfix/all/can-use-inode-instead-of-kernel-address-for-proc-file.patch
 + bugfix/all/ib-uverbs-handle-large-number-of-entries-in-poll-CQ.patch
 + bugfix/all/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
++ bugfix/all/av7110-check-for-negative-array-offset.patch

