--- /dev/null
+From 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Fri, 29 Oct 2010 08:10:18 -0600
+Subject: block: check for proper length of iov entries in blk_rq_map_user_iov()
+
+From: Jens Axboe <jaxboe@fusionio.com>
+
+commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 upstream.
+
+Ensure that we pass down properly validated iov segments before
+calling into the mapping or copy functions.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/blk-map.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -191,6 +191,8 @@ int blk_rq_map_user_iov(struct request_q
+ unaligned = 1;
+ break;
+ }
++ if (!iov[i].iov_len)
++ return -EINVAL;
+ }
+
+ if (unaligned || (q->dma_pad_mask & len))
--- /dev/null
+From 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 Mon Sep 17 00:00:00 2001
+From: Samuel Ortiz <samuel@sortiz.org>
+Date: Wed, 6 Oct 2010 01:03:12 +0200
+Subject: irda: Fix heap memory corruption in iriap.c
+
+From: Samuel Ortiz <samuel@sortiz.org>
+
+commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream.
+
+While parsing the GetValuebyClass command frame, we could potentially write
+passed the skb->data pointer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/iriap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/irda/iriap.c
++++ b/net/irda/iriap.c
+@@ -501,7 +501,8 @@ static void iriap_getvaluebyclass_confir
+ IRDA_DEBUG(4, "%s(), strlen=%d\n", __func__, value_len);
+
+ /* Make sure the string is null-terminated */
+- fp[n+value_len] = 0x00;
++ if (n + value_len < skb->len)
++ fp[n + value_len] = 0x00;
+ IRDA_DEBUG(4, "Got string %s\n", fp+n);
+
+ /* Will truncate to IAS_MAX_STRING bytes */
--- /dev/null
+From efc463eb508798da4243625b08c7396462cabf9f Mon Sep 17 00:00:00 2001
+From: Samuel Ortiz <samuel@sortiz.org>
+Date: Mon, 11 Oct 2010 01:17:56 +0200
+Subject: irda: Fix parameter extraction stack overflow
+
+From: Samuel Ortiz <samuel@sortiz.org>
+
+commit efc463eb508798da4243625b08c7396462cabf9f upstream.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/parameters.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/irda/parameters.c
++++ b/net/irda/parameters.c
+@@ -298,6 +298,8 @@ static int irda_extract_string(void *sel
+
+ p.pi = pi; /* In case handler needs to know */
+ p.pl = buf[1]; /* Extract length of value */
++ if (p.pl > 32)
++ p.pl = 32;
+
+ IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__,
+ p.pi, p.pl);
+@@ -318,7 +320,7 @@ static int irda_extract_string(void *sel
+ (__u8) str[0], (__u8) str[1]);
+
+ /* Null terminate string */
+- str[p.pl+1] = '\0';
++ str[p.pl] = '\0';
+
+ p.pv.c = str; /* Handler will need to take a copy */
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
