ChangeSet 1.1796, 2004/04/14 14:30:34-07:00, m.c.p@kernel.linux-systeme.com

[PATCH] USB: fix CAN-2004-0075

Okay, now while we are at fixing security holes, is there any chance we
can _finally_ get the attached patch in?

The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the
copy_from_user function when copying data from userspace to kernel space,
which crosses security boundaries and allows local users to cause a denial
of service.

Already ACKed by Greg. Only complaint was inproper coding style which is done
with attached patch ;)

ciao, Marc


 drivers/usb/media/vicam.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)


diff -Nru a/drivers/usb/media/vicam.c b/drivers/usb/media/vicam.c
--- a/drivers/usb/media/vicam.c	Wed Apr 14 14:32:40 2004
+++ b/drivers/usb/media/vicam.c	Wed Apr 14 14:32:40 2004
@@ -653,12 +653,18 @@
 	case VIDIOCSWIN:
 		{
 
-			struct video_window *vw = (struct video_window *) arg;
-			DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
+			struct video_window vw;
 
-			if ( vw->width != 320 || vw->height != 240 )
+			if (copy_from_user(&vw, arg, sizeof(vw))) {
 				retval = -EFAULT;
+				break;
+			}
+
+			DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height);
 			
+			if ( vw.width != 320 || vw.height != 240 )
+				retval = -EFAULT;
+
 			break;
 		}