[PATCH] USB: fix CAN-2004-0075

Okay, now while we are at fixing security holes, is there any chance we
can _finally_ get the attached patch in?

The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the
copy_from_user function when copying data from userspace to kernel space,
which crosses security boundaries and allows local users to cause a denial
of service.

Already ACKed by Greg. Only complaint was inproper coding style which is done
with attached patch ;)

ciao, Marc

diff --git a/drivers/usb/media/vicam.c b/drivers/usb/media/vicam.c
index 06f05bb3ce4c398fbe1ed16f7729048352cbcf46..448aeb794d589becafe64675f3ad97dd8b65096f 100644 (file)
--- a/drivers/usb/media/vicam.c
+++ b/drivers/usb/media/vicam.c
@@ -653,12 +653,18 @@ vicam_ioctl(struct inode *inode, struct file *file, unsigned int ioctlnr, unsign
        case VIDIOCSWIN:
                {
 
-                       struct video_window *vw = (struct video_window *) arg;
-                       DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+                       struct video_window vw;
 
-                       if ( vw->width != 320 || vw->height != 240 )
+                       if (copy_from_user(&vw, arg, sizeof(vw))) {
                                retval = -EFAULT;
+                               break;
+                       }
+
+                       DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
                        
+                       if ( vw.width != 320 || vw.height != 240 )
+                               retval = -EFAULT;
+
                        break;
                }