[kernel] r16853 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Jan 26 02:07:33 UTC 2011 

Author: dannf
Date: Wed Jan 26 02:07:20 2011
New Revision: 16853

Log:
av7110: check for negative array offset (CVE-2011-0521)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch
      - copied unchanged from r16852, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/31

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Tue Jan 25 05:46:20 2011	(r16852)
+++ dists/sid/linux-2.6/debian/changelog	Wed Jan 26 02:07:20 2011	(r16853)
@@ -15,6 +15,7 @@
 
   [ dann frazier ]
   * xfs: fix information leak using stale NFS handle (CVE-2010-2943)
+  * av7110: check for negative array offset (CVE-2011-0521)
 
  -- Ian Campbell <ijc at hellion.org.uk>  Thu, 13 Jan 2011 07:07:54 +0000
 

Copied: dists/sid/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch (from r16852, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch	Wed Jan 26 02:07:20 2011	(r16853, copy of r16852, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/av7110-check-for-negative-array-offset.patch)
@@ -0,0 +1,25 @@
+commit cb26a24ee9706473f31d34cc259f4dcf45cd0644
+Author: Dan Carpenter <error27 at gmail.com>
+Date:   Fri Jan 7 16:41:54 2011 -0300
+
+    [media] [v3,media] av7110: check for negative array offset
+    
+    info->num comes from the user.  It's type int.  If the user passes
+    in a negative value that would cause memory corruption.
+    
+    Signed-off-by: Dan Carpenter <error27 at gmail.com>
+    Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
+
+diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c
+index 122c728..9fc1dd0 100644
+--- a/drivers/media/dvb/ttpci/av7110_ca.c
++++ b/drivers/media/dvb/ttpci/av7110_ca.c
+@@ -277,7 +277,7 @@ static int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
+ 	{
+ 		ca_slot_info_t *info=(ca_slot_info_t *)parg;
+ 
+-		if (info->num > 1)
++		if (info->num < 0 || info->num > 1)
+ 			return -EINVAL;
+ 		av7110->ci_slot[info->num].num = info->num;
+ 		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?

Modified: dists/sid/linux-2.6/debian/patches/series/31
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/31	Tue Jan 25 05:46:20 2011	(r16852)
+++ dists/sid/linux-2.6/debian/patches/series/31	Wed Jan 26 02:07:20 2011	(r16853)
@@ -10,3 +10,4 @@
 + bugfix/all/xfs-remove-block-number-from-inode-lookup-code.patch
 + bugfix/all/xfs-fix-untrusted-inode-number-lookup.patch
 + bugfix/all/r8169-keep-firmware-in-memory.patch
++ bugfix/all/av7110-check-for-negative-array-offset.patch

More information about the Kernel-svn-changes mailing list