[meta-freescale] [meta-fsl-ppc][PATCH][dizzy 2/5] [media] ttusb-dec: CVE-2014-8884
Sona Sarmadi
sona.sarmadi at enea.com
Tue Dec 15 04:57:30 PST 2015
Fixes buffer overflow in ioctl.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8884
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/
?id=482c6cb2dfb40838d67b0ba844b4b3d0af0f3d20
Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
.../files/media-ttusb-dec-CVE-2014-8884.patch | 37 ++++++++++++++++++++++
recipes-kernel/linux/linux-qoriq_3.12.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch
diff --git a/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch b/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch
new file mode 100644
index 0000000..ae27944
--- /dev/null
+++ b/recipes-kernel/linux/files/media-ttusb-dec-CVE-2014-8884.patch
@@ -0,0 +1,37 @@
+commit 482c6cb2dfb40838d67b0ba844b4b3d0af0f3d20
+Author: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Fri, 5 Sep 2014 09:09:28 -0300
+Subject: [media] ttusb-dec: buffer overflow in ioctl
+
+commit f2e323ec96077642d397bb1c355def536d489d16 upstream.
+
+We need to add a limit check here so we don't overflow the buffer.
+
+Fixes CVE-2014-8884
+Upstream-Status: Backport
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ drivers/media/usb/ttusb-dec/ttusbdecfe.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/ttusb-dec/ttusbdecfe.c b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
+index 5c45c9d..9c29552 100644
+--- a/drivers/media/usb/ttusb-dec/ttusbdecfe.c
++++ b/drivers/media/usb/ttusb-dec/ttusbdecfe.c
+@@ -156,6 +156,9 @@ static int ttusbdecfe_dvbs_diseqc_send_master_cmd(struct dvb_frontend* fe, struc
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00 };
+
++ if (cmd->msg_len > sizeof(b) - 4)
++ return -EINVAL;
++
+ memcpy(&b[4], cmd->msg, cmd->msg_len);
+
+ state->config->send_command(fe, 0x72,
+--
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index f078518..e89a289 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -34,6 +34,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
file://fs-isofs-CVE-2014-9420.patch \
file://udp-CVE-2015-5364_CVE-2015-5366.patch \
file://mm-CVE-2014-3122.patch \
+ file://media-ttusb-dec-CVE-2014-8884.patch \
"
SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
--
1.9.1
More information about the meta-freescale
mailing list