1. 10 10月, 2010 1 次提交
  2. 28 9月, 2010 1 次提交
    • D
      Fix pktcdvd ioctl dev_minor range check · 252a52aa
      Dan Rosenberg 提交于
      The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
      pktcdvd_device from the global pkt_devs array.  The index into this
      array is provided directly by the user and is a signed integer, so the
      comparison to ensure that it falls within the bounds of this array will
      fail when provided with a negative index.
      
      This can be used to read arbitrary kernel memory or cause a crash due to
      an invalid pointer dereference.  This can be exploited by users with
      permission to open /dev/pktcdvd/control (on many distributions, this is
      readable by group "cdrom").
      Signed-off-by: NDan Rosenberg <dan.j.rosenberg@gmail.com>
      [ Rather than add a cast, just make the function take the right type -Linus ]
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      252a52aa
  3. 21 9月, 2010 1 次提交
    • D
      cciss: freeing uninitialized data on error path · b0722cb1
      Dan Carpenter 提交于
      The "h->scatter_list" is allocated inside a for loop.  If any of those
      allocations fail, then the rest of the list is uninitialized data.  When
      we free it we should start from the top and free backwards so that we
      don't call kfree() on uninitialized pointers.
      
      Also if the allocation for "h->scatter_list" fails then we would get an
      Oops here.  I should have noticed this when I send: 4ee69851 "cciss:
      handle allocation failure."  but I didn't.  Sorry about that.
      Signed-off-by: NDan Carpenter <error27@gmail.com>
      Signed-off-by: NJens Axboe <jaxboe@fusionio.com>
      b0722cb1
  4. 26 8月, 2010 1 次提交
  5. 23 8月, 2010 5 次提交
  6. 18 8月, 2010 1 次提交
  7. 09 8月, 2010 1 次提交
  8. 08 8月, 2010 29 次提交