From: Mauro Carvalho Chehab <mchehab@redhat.com> Date: Fri, 28 Jan 2011 15:58:34 -0500 Subject: [media] dvb: fix av7110 negative array offset Message-id: <4D42E7AA.6010003@redhat.com> Patchwork-id: 4542 O-Subject: [kernel team] [RHEL5.7] Bug 672402 - CVE-2011-0521 kernel: av7110 negative array offset Bugzilla: 672402 CVE: CVE-2011-0521 RH-Acked-by: Dean Nelson <dnelson@redhat.com> RH-Acked-by: Bob Picco <bpicco@redhat.com> RH-Acked-by: Eugene Teo <eugene@redhat.com> The av7110 DVB driver has an issue when used with a Conditional Access Module. It is fault of the current API that defined the CA slot number as a signed number. As the driver doesn't check for non-negative numbers, it ends by writing outside the ci_slot array. I've checked and other drivers on RHEL 5 seem safe. Btw, the same fixes also apply to RHEL5.6.z (BZ# 672401) So, we just need to backport this upstream patch: commit 308b7f9d090f970dd86a427c6320402365016aae Author: Dan Carpenter <error27@gmail.com> Date: Fri Jan 7 16:41:54 2011 -0300 [media] [v3,media] av7110: check for negative array offset info->num comes from the user. It's type int. If the user passes in a negative value that would cause memory corruption. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/drivers/media/dvb/ttpci/av7110_ca.c b/drivers/media/dvb/ttpci/av7110_ca.c index 6079e88..873895a 100644 --- a/drivers/media/dvb/ttpci/av7110_ca.c +++ b/drivers/media/dvb/ttpci/av7110_ca.c @@ -280,7 +280,7 @@ static int dvb_ca_ioctl(struct inode *inode, struct file *file, { ca_slot_info_t *info=(ca_slot_info_t *)parg; - if (info->num > 1) + if (info->num < 0 || info->num > 1) return -EINVAL; av7110->ci_slot[info->num].num = info->num; av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?