Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-06-24 12:03:41 +0200
committerTakashi Iwai <tiwai@suse.de>2019-06-24 12:03:49 +0200
commit3b24929a5b4ff7f9b9fbedaa9f2c2713c03a1161 (patch)
tree78a1d2ea70b75bd32e307c9c440b7b7f2ec63672
parentf0dd41e738320d625648654b29538a44b35671b0 (diff)
mISDN: make sure device name is NUL terminated (bsc#1051510).
-rw-r--r--patches.drivers/mISDN-make-sure-device-name-is-NUL-terminated.patch58
-rw-r--r--series.conf1
2 files changed, 59 insertions, 0 deletions
diff --git a/patches.drivers/mISDN-make-sure-device-name-is-NUL-terminated.patch b/patches.drivers/mISDN-make-sure-device-name-is-NUL-terminated.patch
new file mode 100644
index 0000000000..7230277b2b
--- /dev/null
+++ b/patches.drivers/mISDN-make-sure-device-name-is-NUL-terminated.patch
@@ -0,0 +1,58 @@
+From ccfb62f27beb295103e9392462b20a6ed807d0ea Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 22 May 2019 11:45:13 +0300
+Subject: [PATCH] mISDN: make sure device name is NUL terminated
+Git-commit: ccfb62f27beb295103e9392462b20a6ed807d0ea
+Patch-mainline: v5.2-rc3
+References: bsc#1051510
+
+The user can change the device_name with the IMSETDEVNAME ioctl, but we
+need to ensure that the user's name is NUL terminated. Otherwise it
+could result in a buffer overflow when we copy the name back to the user
+with IMGETDEVINFO ioctl.
+
+I also changed two strcpy() calls which handle the name to strscpy().
+Hopefully, there aren't any other ways to create a too long name, but
+it's nice to do this as a kernel hardening measure.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/isdn/mISDN/socket.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
+index a14e35d40538..84e1d4c2db66 100644
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -393,7 +393,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ memcpy(di.channelmap, dev->channelmap,
+ sizeof(di.channelmap));
+ di.nrbchan = dev->nrbchan;
+- strcpy(di.name, dev_name(&dev->dev));
++ strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
+ if (copy_to_user((void __user *)arg, &di, sizeof(di)))
+ err = -EFAULT;
+ } else
+@@ -676,7 +676,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ memcpy(di.channelmap, dev->channelmap,
+ sizeof(di.channelmap));
+ di.nrbchan = dev->nrbchan;
+- strcpy(di.name, dev_name(&dev->dev));
++ strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
+ if (copy_to_user((void __user *)arg, &di, sizeof(di)))
+ err = -EFAULT;
+ } else
+@@ -690,6 +690,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ err = -EFAULT;
+ break;
+ }
++ dn.name[sizeof(dn.name) - 1] = '\0';
+ dev = get_mdevice(dn.id);
+ if (dev)
+ err = device_rename(&dev->dev, dn.name);
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index c292f92252..5519b0e9fe 100644
--- a/series.conf
+++ b/series.conf
@@ -22538,6 +22538,7 @@
patches.suse/btrfs-fix-fsync-not-persisting-changed-attributes-of.patch
patches.suse/btrfs-fix-wrong-ctime-and-mtime-of-a-directory-after.patch
patches.suse/btrfs-fix-race-updating-log-root-item-during-fsync.patch
+ patches.drivers/mISDN-make-sure-device-name-is-NUL-terminated.patch
patches.suse/net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-STAT.patch
patches.drm/0004-drm-etnaviv-lock-MMU-while-dumping-core.patch
patches.drivers/USB-Fix-slab-out-of-bounds-write-in-usb_get_bos_desc.patch