[Hardy] [CVE-2010-4656] [PATCH 1/1] usb: iowarrior: don't trust report_size for buffer size, CVE-2010-4656
Brad Figg
brad.figg at canonical.com
Tue Apr 26 22:00:31 UTC 2011
From: Kees Cook <kees.cook at canonical.com>
CVE-2010-4656
BugLink: http://bugs.launchpad.net/bugs/711484
If the iowarrior devices in this case statement support more than 8 bytes
per report, it is possible to write past the end of a kernel heap allocation.
This will probably never be possible, but change the allocation to be more
defensive anyway.
Signed-off-by: Kees Cook <kees.cook at canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
(cherry-pick of commit 3ed780117dbe5acb64280d218f0347f238dafed0)
Signed-off-by: Brad Figg <brad.figg at canonical.com>
---
drivers/usb/misc/iowarrior.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index bc88c79..8ed8d05 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -374,7 +374,7 @@ static ssize_t iowarrior_write(struct file *file,
case USB_DEVICE_ID_CODEMERCS_IOWPV2:
case USB_DEVICE_ID_CODEMERCS_IOW40:
/* IOW24 and IOW40 use a synchronous call */
- buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both products */
+ buf = kmalloc(count, GFP_KERNEL);
if (!buf) {
retval = -ENOMEM;
goto exit;
--
1.7.0.4
More information about the kernel-team
mailing list