Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 51305 Details for
Bug 78362
Local DoS through vc_resize (CAN-2004-1333)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
2.6.9 patch
2.6.9-78362.patch (text/plain), 2.37 KB, created by
Tim Yamin (RETIRED)
on 2005-02-15 13:56:23 UTC
(
hide
)
Description:
2.6.9 patch
Filename:
MIME Type:
Creator:
Tim Yamin (RETIRED)
Created:
2005-02-15 13:56:23 UTC
Size:
2.37 KB
patch
obsolete
># This is a BitKeeper generated diff -Nru style patch. ># ># ChangeSet ># 2004/12/08 13:03:03-08:00 davem@nuts.davemloft.net ># [NET]: CMSG compat code needs signedness fixes too. ># ># Signed-off-by: David S. Miller <davem@davemloft.net> ># ># net/compat.c ># 2004/12/08 13:02:32-08:00 davem@nuts.davemloft.net +7 -5 ># [NET]: CMSG compat code needs signedness fixes too. ># ># ChangeSet ># 2004/12/10 09:52:42-08:00 torvalds@ppc970.osdl.org ># Make sure VC resizing fits in s16. ># ># Noted by Georgi Guninski ># ># drivers/char/vt.c ># 2004/12/10 09:52:35-08:00 torvalds@ppc970.osdl.org +5 -0 ># Make sure VC resizing fits in s16. ># >diff -Nru a/net/compat.c b/net/compat.c >--- a/net/compat.c 2005-02-15 11:46:30 -08:00 >+++ b/net/compat.c 2005-02-15 11:46:30 -08:00 >@@ -124,6 +124,12 @@ > (struct compat_cmsghdr __user *)((msg)->msg_control) : \ > (struct compat_cmsghdr __user *)NULL) > >+#define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \ >+ ((ucmlen) >= sizeof(struct cmsghdr) && \ >+ (ucmlen) <= (unsigned long) \ >+ ((mhdr)->msg_controllen - \ >+ ((char *)(ucmsg) - (char *)(mhdr)->msg_control))) >+ > static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg, > struct compat_cmsghdr __user *cmsg, int cmsg_len) > { >@@ -154,11 +160,7 @@ > return -EFAULT; > > /* Catch bogons. */ >- if(CMSG_COMPAT_ALIGN(ucmlen) < >- CMSG_COMPAT_ALIGN(sizeof(struct compat_cmsghdr))) >- return -EINVAL; >- if((unsigned long)(((char __user *)ucmsg - (char __user *)kmsg->msg_control) >- + ucmlen) > kmsg->msg_controllen) >+ if (!CMSG_COMPAT_OK(ucmlen, ucmsg, kmsg)) > return -EINVAL; > > tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) + >diff -Nru a/drivers/char/vt.c b/drivers/char/vt.c >--- a/drivers/char/vt.c 2005-02-15 11:46:59 -08:00 >+++ b/drivers/char/vt.c 2005-02-15 11:46:59 -08:00 >@@ -768,6 +768,8 @@ > * [this is to be used together with some user program > * like resize that changes the hardware videomode] > */ >+#define VC_RESIZE_MAXCOL (32767) >+#define VC_RESIZE_MAXROW (32767) > int vc_resize(int currcons, unsigned int cols, unsigned int lines) > { > unsigned long old_origin, new_origin, new_scr_end, rlth, rrem, err = 0; >@@ -779,6 +781,9 @@ > > if (!vc_cons_allocated(currcons)) > return -ENXIO; >+ >+ if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW) >+ return -EINVAL; > > new_cols = (cols ? cols : video_num_columns); > new_rows = (lines ? lines : video_num_lines);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=51305">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 78362
:
51304
| 51305
