Upstream commit as below:
commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4
Author: Dan Carpenter <[email protected]>
Date: Fri Oct 8 09:03:07 2010 +0200
[SCSI] gdth: integer overflow in ioctl
gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.
We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer. Then when we do the
copy_from_user(), it would result in a memory corruption.
CC: [email protected]
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
** Also affects: linux (Ubuntu Hardy)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Maverick)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Dapper)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Natty)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Karmic)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Natty)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/711797
Title:
CVE-2010-4157
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
