[maverick, maverick/ti-omap4, natty, natty/ti-omap4 CVE 1/1] si4713-i2c: avoid potential buffer overflow on si4713
Andy Whitcroft
apw at canonical.com
Mon Sep 19 09:47:59 UTC 2011
From: Mauro Carvalho Chehab <mchehab at redhat.com>
While compiling it with Fedora 15, I noticed this issue:
inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24:
arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct
Cc: stable at kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
Acked-by: Sakari Ailus <sakari.ailus at maxwell.research.nokia.com>
Acked-by: Eduardo Valentin <edubezval at gmail.com>
Reviewed-by: Eugene Teo <eugeneteo at kernel.sg>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6)
CVE-2011-2700
BugLink: http://bugs.launchpad.net/bugs/844370
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
drivers/media/radio/si4713-i2c.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/radio/si4713-i2c.c b/drivers/media/radio/si4713-i2c.c
index ab63dd5..6ce2fb1 100644
--- a/drivers/media/radio/si4713-i2c.c
+++ b/drivers/media/radio/si4713-i2c.c
@@ -1004,7 +1004,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
char ps_name[MAX_RDS_PS_NAME + 1];
len = control->size - 1;
- if (len > MAX_RDS_PS_NAME) {
+ if (len < 0 || len > MAX_RDS_PS_NAME) {
rval = -ERANGE;
goto exit;
}
@@ -1026,7 +1026,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev,
char radio_text[MAX_RDS_RADIO_TEXT + 1];
len = control->size - 1;
- if (len > MAX_RDS_RADIO_TEXT) {
+ if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
rval = -ERANGE;
goto exit;
}
--
1.7.4.1
More information about the kernel-team
mailing list