Prev: [01/20] ALSA: AACI: fix AC97 multiple-open bug
Next: [109/119] acerhdf: fix fan control for AOA150 model
From: Greg KH on 6 Dec 2009 18:50
2.6.27-stable review patch. If anyone has any objections, please let us know.

------------------
From: Dave Jones <davej(a)redhat.com>

commit 690e744869f3262855b83b4fb59199cf142765b0 upstream.

A negative offset could be used to index before the event buffer and
lead to a security breach.

Signed-off-by: Dave Jones <davej(a)redhat.com>
Signed-off-by: James Bottomley <James.Bottomley(a)suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de>

---
drivers/scsi/gdth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/gdth.c
+++ b/drivers/scsi/gdth.c
@@ -2912,7 +2912,7 @@ static int gdth_read_event(gdth_ha_str *
eindex = handle;
estr->event_source = 0;

- if (eindex >= MAX_EVENTS) {
+ if (eindex < 0 || eindex >= MAX_EVENTS) {
spin_unlock_irqrestore(&ha->smp_lock, flags);
return eindex;
}


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [01/20] ALSA: AACI: fix AC97 multiple-open bug
Next: [109/119] acerhdf: fix fan control for AOA150 model