From patchwork Tue Apr 26 22:00:31 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Brad Figg X-Patchwork-Id: 92963 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 0B159B6F06 for ; Wed, 27 Apr 2011 07:59:33 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QEqHz-0003TA-Cb; Tue, 26 Apr 2011 21:59:23 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QEqHc-0003Nt-0w for kernel-team@lists.ubuntu.com; Tue, 26 Apr 2011 21:59:00 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1QEqHb-0003ih-Ur for ; Tue, 26 Apr 2011 21:58:59 +0000 Received: from static-50-53-98-161.bvtn.or.frontiernet.net ([50.53.98.161] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1QEqHb-00044O-JO for kernel-team@lists.ubuntu.com; Tue, 26 Apr 2011 21:58:59 +0000 From: Brad Figg To: kernel-team@lists.ubuntu.com Subject: [Hardy] [CVE-2010-4656] [PATCH 1/1] usb: iowarrior: don't trust report_size for buffer size, CVE-2010-4656 Date: Tue, 26 Apr 2011 15:00:31 -0700 Message-Id: <1303855231-5715-1-git-send-email-brad.figg@canonical.com> X-Mailer: git-send-email 1.7.0.4 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Kees Cook CVE-2010-4656 BugLink: http://bugs.launchpad.net/bugs/711484 If the iowarrior devices in this case statement support more than 8 bytes per report, it is possible to write past the end of a kernel heap allocation. This will probably never be possible, but change the allocation to be more defensive anyway. Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman (cherry-pick of commit 3ed780117dbe5acb64280d218f0347f238dafed0) Signed-off-by: Brad Figg Acked-by: John Johansen Acked-by: Stefan Bader --- drivers/usb/misc/iowarrior.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index bc88c79..8ed8d05 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file, case USB_DEVICE_ID_CODEMERCS_IOWPV2: case USB_DEVICE_ID_CODEMERCS_IOW40: /* IOW24 and IOW40 use a synchronous call */ - buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */ + buf = kmalloc(count, GFP_KERNEL); if (!buf) { retval = -ENOMEM; goto exit;