Hei Jan,
On 06/10/2009 09:21 AM, Jan Nikitenko wrote:
This patch fixes stack corruption bug present in dump_regs function of
zl10353 and qt1010 drivers:
the buffer buf is one byte smaller than required - there is 4 chars
for address prefix, 16*3 chars for dump of 16 eeprom bytes per line
and 1 byte for zero ending the string required, i.e. 53 bytes, but
only 52 were provided.
The one byte missing in stack based buffer buf can cause stack
corruption possibly leading to kernel oops, as discovered originally
with af9015 driver.
Signed-off-by: Jan Nikitenko <jan.nikite...@gmail.com>
---
Antti Palosaari wrote:
> On 06/10/2009 01:39 AM, Jan Nikitenko wrote:
>> Solved with "[PATCH] af9015: fix stack corruption bug".
>
> This error leads to the zl10353.c and there it was copied to qt1010.c
> and af9015.c.
>
Antti, thanks for pointing out that the same problem was also in
zl10353.c and qt1010.c. Include your Sign-off-by, please.
I tried to test that patch (from patchwork) to ensure it is OK before
ack, but I found it does not apply for reason or other. It looks correct
for my eyes. Please check what's wrong and apply new patch.
[cr...@localhost v4l-dvb]$ patch -p1 <
af9015-fix-stack-corruption-bug.patch
patching file linux/drivers/media/dvb/dvb-usb/af9015.c
[cr...@localhost v4l-dvb]$ patch -p1 <
zl10353-and-qt1010-fix-stack-corruption-bug.patch
patching file linux/drivers/media/common/tuners/qt1010.c
Hunk #1 FAILED at 65.
1 out of 1 hunk FAILED -- saving rejects to file
linux/drivers/media/common/tuners/qt1010.c.rej
patching file linux/drivers/media/dvb/frontends/zl10353.c
Hunk #1 FAILED at 102.
1 out of 1 hunk FAILED -- saving rejects to file
linux/drivers/media/dvb/frontends/zl10353.c.rej
[cr...@localhost v4l-dvb]$ hg diff
diff -r 148b4c93a728 linux/drivers/media/dvb/dvb-usb/af9015.c
--- a/linux/drivers/media/dvb/dvb-usb/af9015.c Mon Jun 15 14:15:33 2009
-0300
+++ b/linux/drivers/media/dvb/dvb-usb/af9015.c Mon Jun 15 21:55:55 2009
+0300
@@ -541,7 +541,7 @@
/* dump eeprom */
static int af9015_eeprom_dump(struct dvb_usb_device *d)
{
- char buf[52], buf2[4];
+ char buf[4+3*16+1], buf2[4];
u8 reg, val;
for (reg = 0; ; reg++) {
[cr...@localhost v4l-dvb]$ hg head
changeset: 11978:148b4c93a728
tag: tip
parent: 11975:144d8d0cebc5
parent: 11977:8b416ba3ac89
user: Mauro Carvalho Chehab <mche...@redhat.com>
date: Mon Jun 15 14:15:33 2009 -0300
summary: merge: http://www.linuxtv.org/hg/~dougsland/em28xx
regards
Antti
--
http://palosaari.fi/
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
