ChangeSet 1.1796, 2004/04/14 14:30:34-07:00, m.c.p@kernel.linux-systeme.com [PATCH] USB: fix CAN-2004-0075 Okay, now while we are at fixing security holes, is there any chance we can _finally_ get the attached patch in? The Vicam USB driver in all Linux Kernels 2.6 mainline does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Already ACKed by Greg. Only complaint was inproper coding style which is done with attached patch ;) ciao, Marc drivers/usb/media/vicam.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) diff -Nru a/drivers/usb/media/vicam.c b/drivers/usb/media/vicam.c --- a/drivers/usb/media/vicam.c Wed Apr 14 14:32:40 2004 +++ b/drivers/usb/media/vicam.c Wed Apr 14 14:32:40 2004 @@ -653,12 +653,18 @@ case VIDIOCSWIN: { - struct video_window *vw = (struct video_window *) arg; - DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height); + struct video_window vw; - if ( vw->width != 320 || vw->height != 240 ) + if (copy_from_user(&vw, arg, sizeof(vw))) { retval = -EFAULT; + break; + } + + DBG("VIDIOCSWIN %d x %d\n", vw->width, vw->height); + if ( vw.width != 320 || vw.height != 240 ) + retval = -EFAULT; + break; }