This is a note to let you know that I've just added the patch titled
usb: iowarrior: don't trust report_size for buffer size
to the 2.6.32-longterm tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.32.git;a=summary
The filename of the patch is:
usb-iowarrior-don-t-trust-report_size-for-buffer-size.patch
and it can be found in the queue-2.6.32 subdirectory.
If you, or anyone else, feels it should not be added to the 2.6.32 longterm
tree,
please let <[email protected]> know about it.
>From 3ed780117dbe5acb64280d218f0347f238dafed0 Mon Sep 17 00:00:00 2001
From: Kees Cook <[email protected]>
Date: Mon, 11 Oct 2010 11:28:16 -0700
Subject: usb: iowarrior: don't trust report_size for buffer size
From: Kees Cook <[email protected]>
commit 3ed780117dbe5acb64280d218f0347f238dafed0 upstream.
If the iowarrior devices in this case statement support more than 8 bytes
per report, it is possible to write past the end of a kernel heap allocation.
This will probably never be possible, but change the allocation to be more
defensive anyway.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Acked-by: Brandon Philips <[email protected]>
---
drivers/usb/misc/iowarrior.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -373,7 +373,7 @@ static ssize_t iowarrior_write(struct fi
case USB_DEVICE_ID_CODEMERCS_IOWPV2:
case USB_DEVICE_ID_CODEMERCS_IOW40:
/* IOW24 and IOW40 use a synchronous call */
- buf = kmalloc(8, GFP_KERNEL); /* 8 bytes are enough for both
products */
+ buf = kmalloc(count, GFP_KERNEL);
if (!buf) {
retval = -ENOMEM;
goto exit;
Patches currently in longterm-queue-2.6.32 which might be from
[email protected] are
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
