the sprintf() function can be overflown by other local users using the ioctl. Howewer, there is no return pointer so this can only be used for DoS. Solution: Apply this patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a Reproducible: Always
Fixed in 2.6.23.10: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.10: commit 27b396672af95abad9591d9123e62d6ab4b655da Author: Karsten Keil <kkeil@suse.de> Date: Sat Dec 1 12:16:15 2007 -0800 I4L: fix isdn_ioctl memory overrun vulnerability patch eafe1aa37e6ec2d56f14732b5240c4dd09f0613a in mainline. Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB <adlab@venustech.com.cn> Signed-off-by: Karsten Keil <kkeil@suse.de> Cc: ADLAB <adlab@venustech.com.cn> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
latest update from 2007 please close