[PATCH] USB: fix CAN-2004-0075

Okay, now while we are at fixing security holes, is there any chance we can _finally_ get the attached patch in? The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Already ACKed by Greg. Only complaint was inproper coding style which is done with attached patch ;) ciao, Marc

[PATCH] USB: fix CAN-2004-0075
Okay, now while we are at fixing security holes, is there any chance we can _finally_ get the attached patch in? The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Already ACKed by Greg. Only complaint was inproper coding style which is done with attached patch ;) ciao, Marc
e19cd00e · Marc-Christian Petersen · Greg Kroah-Hartman · 0862742d · e19cd00e
Commit e19cd00e authored Apr 14, 2004 by Marc-Christian Petersen Committed by Greg Kroah-Hartman Apr 14, 2004
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

drivers/usb/media/vicam.c drivers/usb/media/vicam.c +9 -3

No files found.
--- a/drivers/usb/media/vicam.c
+++ b/drivers/usb/media/vicam.c
@@ -653,10 +653,16 @@ vicam_ioctl(struct inode *inode, struct file *file, unsigned int ioctlnr, unsign
 	case VIDIOCSWIN:
 		{

-			struct video_window *vw = (struct video_window *) arg;
+			struct video_window vw;
+
+			if (copy_from_user(&vw, arg, sizeof(vw))) {
+				retval = -EFAULT;
+				break;
+			}
+
 			DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
 			
-			if ( vw->width != 320 || vw->height != 240 )
+			if ( vw.width != 320 || vw.height != 240 )
 				retval = -EFAULT;

 			break;