This is an automatic generated email to let you know that the following patch were queued at the http://git.linuxtv.org/cgit.cgi/media_tree.git tree:
Subject: [media] siano: firmware buffer is too small Author: Mauro Carvalho Chehab <[email protected]> Date: Mon Feb 15 13:56:26 2016 -0200 As pointed by KASAN: BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880000038d8c Read of size 128 by task systemd-udevd/2536 page:ffffea0000000800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0xffff8000004000(head) page dumped because: kasan: bad access detected CPU: 1 PID: 2536 Comm: systemd-udevd Not tainted 4.5.0-rc3+ #47 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015 ffff880000038d8c ffff8803b0f1f1e8 ffffffff81933901 0000000000000080 ffff8803b0f1f280 ffff8803b0f1f270 ffffffff815602c5 ffffffff8284cf93 ffffffff822ddc00 0000000000000282 0000000000000001 ffff88009c7c6000 Call Trace: [<ffffffff81933901>] dump_stack+0x85/0xc4 [<ffffffff815602c5>] kasan_report_error+0x525/0x550 [<ffffffff815606e9>] kasan_report+0x39/0x40 [<ffffffff8155f84d>] memcpy+0x1d/0x40 [<ffffffffa120cb90>] smscore_set_device_mode+0xee0/0x2560 [smsmdtv] Such error happens at the memcpy code below: 0x4bc0 is in smscore_set_device_mode (drivers/media/common/siano/smscoreapi.c:975). 970 sizeof(u32) + payload_size)); 971 972 data_msg->mem_addr = mem_address; 973 memcpy(data_msg->payload, payload, payload_size); 974 975 rc = smscore_sendrequest_and_wait(coredev, data_msg, 976 data_msg->x_msg_header.msg_length, 977 &coredev->data_download_done); 978 979 payload += payload_size; The problem is that the Siano driver uses a header to store the firmware, with requires a few more bytes than allocated. Tested with: PCTV 77e (2013:0257) Hauppauge WinTV MiniStick (2040:5510) Signed-off-by: Mauro Carvalho Chehab <[email protected]> drivers/media/common/siano/smscoreapi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- http://git.linuxtv.org/cgit.cgi/media_tree.git/commit/?id=21cf734c79e6c741dcdf383dbaef3b551b931568 diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c index 2a8d9a36d6f0..f3a42834d7d6 100644 --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c @@ -1167,8 +1167,8 @@ static int smscore_load_firmware_from_file(struct smscore_device_t *coredev, return rc; } pr_debug("read fw %s, buffer size=0x%zx\n", fw_filename, fw->size); - fw_buf = kmalloc(ALIGN(fw->size, SMS_ALLOC_ALIGNMENT), - GFP_KERNEL | GFP_DMA); + fw_buf = kmalloc(ALIGN(fw->size + sizeof(struct sms_firmware), + SMS_ALLOC_ALIGNMENT), GFP_KERNEL | GFP_DMA); if (!fw_buf) { pr_err("failed to allocate firmware buffer\n"); rc = -ENOMEM; _______________________________________________ linuxtv-commits mailing list [email protected] http://www.linuxtv.org/cgi-bin/mailman/listinfo/linuxtv-commits
