| Message ID | 1318001618-24037-2-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 10/07/2011 10:33 AM, Andy Whitcroft wrote: > From: Vasiliy Kulikov<segoon@openwall.com> > > driver_name and board_name are pointers to strings, not buffers of size > COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing > less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes. > > Signed-off-by: Vasiliy Kulikov<segoon@openwall.com> > Cc: stable<stable@kernel.org> > Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de> > > (cherry picked from commit 819cbb120eaec7e014e5abd029260db1ca8c5735) > CVE-2011-2909 > BugLink: http://bugs.launchpad.net/bugs/869261 > Signed-off-by: Andy Whitcroft<apw@canonical.com> > --- > drivers/staging/comedi/comedi_fops.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c > index 9d7c993..16d98ce 100644 > --- a/drivers/staging/comedi/comedi_fops.c > +++ b/drivers/staging/comedi/comedi_fops.c > @@ -359,8 +359,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev, struct comedi_devinfo *ar > /* fill devinfo structure */ > devinfo.version_code = COMEDI_VERSION_CODE; > devinfo.n_subdevs = dev->n_subdevices; > - memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); > - memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); > + strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); > + strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); > > if (read_subdev) > devinfo.read_subdevice = read_subdev - dev->subdevices;
On Fri, Oct 07, 2011 at 04:33:38PM +0100, Andy Whitcroft wrote: > From: Vasiliy Kulikov <segoon@openwall.com> > > driver_name and board_name are pointers to strings, not buffers of size > COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing > less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes. > > Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> > Cc: stable <stable@kernel.org> > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> > > (cherry picked from commit 819cbb120eaec7e014e5abd029260db1ca8c5735) > CVE-2011-2909 > BugLink: http://bugs.launchpad.net/bugs/869261 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > drivers/staging/comedi/comedi_fops.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c > index 9d7c993..16d98ce 100644 > --- a/drivers/staging/comedi/comedi_fops.c > +++ b/drivers/staging/comedi/comedi_fops.c > @@ -359,8 +359,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev, struct comedi_devinfo *ar > /* fill devinfo structure */ > devinfo.version_code = COMEDI_VERSION_CODE; > devinfo.n_subdevs = dev->n_subdevices; > - memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); > - memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); > + strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); > + strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); > > if (read_subdev) > devinfo.read_subdevice = read_subdev - dev->subdevices; > -- > 1.7.4.1 Acked-by: Seth Forshee <seth.forshee@canonical.com>
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 9d7c993..16d98ce 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -359,8 +359,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev, struct comedi_devinfo *ar /* fill devinfo structure */ devinfo.version_code = COMEDI_VERSION_CODE; devinfo.n_subdevs = dev->n_subdevices; - memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); - memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); + strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); + strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); if (read_subdev) devinfo.read_subdevice = read_subdev - dev->subdevices;