Linus,
Please apply the attached patch.
It fixes a security problem of user-controlled access to the card ports from
a non-privileged ioctl which should have read-only semantics.
Best regards
Andrey
On Tue, Jun 05, 2001 at 11:07:06AM +0200, Bogdan Costescu wrote:
> On Sun, 3 Jun 2001, Jeff Garzik wrote:
>
> > Bogdan Costescu wrote:
> > > With clearer mind, I have to make some a correction to one of the previous
> > > messages: the problem of not checking arguments range does not apply to
> > > 3c59x which has in the ioctl function '& 0x1f' for both transceiver number
> > > and register number. However, eepro100 and tulip don't do that. (I'm
> > > checking now with 2.4.3 from Mandrake 8, but I don't think that there were
> > > recent changes in these areas).
> >
> > half right -- tulip does this for the phy id but not the MII register
> > number. I'll fix that up. Please bug Andrey about fixing up
> > eepro100...
--k+w/mQv8wyuph6w0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=mii-access1
--- drivers/net/eepro100.c.prev Sat Jan 27 05:07:13 2001
+++ drivers/net/eepro100.c Wed Jun 6 22:26:03 2001
@@ -1913,7 +1913,7 @@
timer routine. 2000/05/09 SAW */
saved_acpi = pci_set_power_state(sp->pdev, 0);
t = del_timer_sync(&sp->timer);
- data[3] = mdio_read(ioaddr, data[0], data[1]);
+ data[3] = mdio_read(ioaddr, data[0] & 0x1f, data[1] & 0x1f);
if (t)
add_timer(&sp->timer); /* may be set to the past --SAW */
pci_set_power_state(sp->pdev, saved_acpi);
--k+w/mQv8wyuph6w0--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/