rpms/kernel/F-11 hda-check-strcpy-length.patch, NONE, 1.1 linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch, NONE, 1.1 kernel.spec, 1.1716, 1.1717
Chuck Ebbert
cebbert at fedoraproject.org
Thu Aug 27 18:52:06 UTC 2009
- Previous message (by thread): rpms/python-py/devel .cvsignore, 1.4, 1.5 import.log, 1.3, 1.4 python-py.spec, 1.5, 1.6 sources, 1.4, 1.5
- Next message (by thread): rpms/nss/devel nss.spec,1.98,1.99
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23185
Modified Files:
kernel.spec
Added Files:
hda-check-strcpy-length.patch
linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
Log Message:
Fix string overflows found by stackprotector:
hda-check-strcpy-length.patch
linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
hda-check-strcpy-length.patch:
hda_codec.c | 2 ++
hda_intel.c | 10 ++++++----
2 files changed, 8 insertions(+), 4 deletions(-)
--- NEW FILE hda-check-strcpy-length.patch ---
From: Takashi Iwai <tiwai at suse.de>
Date: Thu, 16 Apr 2009 08:22:24 +0000 (+0200)
Subject: ALSA: hda - Check strcpy length
X-Git-Tag: v2.6.31-rc1~38^2~11^2~54
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=18cb7109d3e83195b605ff2905981020e86f72ca
ALSA: hda - Check strcpy length
Check the length to copy via strlen() beforehand to avoid the stack
corruption, or use strlcpy() to be safe in HD-audio codes.
Signed-off-by: Takashi Iwai <tiwai at suse.de>
---
diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
index 37f24ce..48f0cea 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -1431,6 +1431,8 @@ _snd_hda_find_mixer_ctl(struct hda_codec *codec,
memset(&id, 0, sizeof(id));
id.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
id.index = idx;
+ if (snd_BUG_ON(strlen(name) >= sizeof(id.name)))
+ return NULL;
strcpy(id.name, name);
return snd_ctl_find_id(codec->bus->card, &id);
}
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index 21a3092..41db5d4 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1830,7 +1830,7 @@ azx_attach_pcm_stream(struct hda_bus *bus, struct hda_codec *codec,
&pcm);
if (err < 0)
return err;
- strcpy(pcm->name, cpcm->name);
+ strlcpy(pcm->name, cpcm->name, sizeof(pcm->name));
apcm = kzalloc(sizeof(*apcm), GFP_KERNEL);
if (apcm == NULL)
return -ENOMEM;
@@ -2358,9 +2358,11 @@ static int __devinit azx_create(struct snd_card *card, struct pci_dev *pci,
}
strcpy(card->driver, "HDA-Intel");
- strcpy(card->shortname, driver_short_names[chip->driver_type]);
- sprintf(card->longname, "%s at 0x%lx irq %i",
- card->shortname, chip->addr, chip->irq);
+ strlcpy(card->shortname, driver_short_names[chip->driver_type],
+ sizeof(card->shortname));
+ snprintf(card->longname, sizeof(card->longname),
+ "%s at 0x%lx irq %i",
+ card->shortname, chip->addr, chip->irq);
*rchip = chip;
return 0;
linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch:
af9015.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch ---
From: Jan Nikitenko <jan.nikitenko at gmail.com>
Date: Tue, 9 Jun 2009 22:31:55 +0000 (-0300)
Subject: V4L/DVB (11999): af9015: fix stack corruption bug
X-Git-Tag: v2.6.31-rc1~297^2~58
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1e7439388a5aa6decf76ac1d73d5312fe713e6af
V4L/DVB (11999): af9015: fix stack corruption bug
This patch fixes stack corruption bug present in af9015_eeprom_dump():
the buffer buf is one byte smaller than required - there is 4 chars
for address prefix, 16*3 chars for dump of 16 eeprom bytes per line
and 1 byte for zero ending the string required, i.e. 53 bytes, but
only 52 are provided.
The one byte missing in stack based buffer buf causes following oops
on MIPS little endian platform, because i2c_adap pointer in
af9015_af9013_frontend_attach() is corrupted by inlined function
af9015_eeprom_dump():
CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc ==
803a4488, ra == c049a1c8
Oops[#1]:
Cpu 0
$ 0 : 00000000 10003c00 00000000 803a4468
$ 4 : 8f17c600 8f067b30 00000002 00000038
$ 8 : 00000001 8faf3e98 11da000d 09010002
$12 : 00000000 00000000 00000000 0000000a
$16 : 8f17c600 8f067b68 8faf3c00 8f067c04
$20 : 8f067b9c 00000100 8f067bf0 80104100
$24 : 00000000 2aba9fb0
$28 : 8f066000 8f067af0 802cbc48 c049a1c8
Hi : 00000000
Lo : 00000000
epc : 803a4488 i2c_transfer+0x20/0x104
Not tainted
ra : c049a1c8 af9013_read_reg+0x78/0xc4 [af9013]
Status: 10003c03 KERNEL EXL IE
Cause : 00808008
BadVA : 00000000
PrId : 03030200 (Au1550)
Modules linked in: af9013 dvb_usb_af9015(+) dvb_usb dvb_core firmware_class
i2c_au1550 au1550_spi
Process modprobe (pid: 2757, threadinfo=8f066000, task=8fade098, tls=2aad6470)
Stack : c049f5e0 80163090 805ba880 00000100 8f067bf0 0000d733 8f067b68 8faf3c00
8f067c04 c049a1c8 80163bc0 8056a630 8f067b40 80163224 80569fc8 8f0033d7
00000038 80140003 8f067b2c 00010038 c0420001 8f067b28 c049f5e0 00000004
00000004 c049a524 c049d5a8 c049d5a8 00000000 803a6700 00000000 8f17c600
c042a7a4 8f17c600 c042a7a4 c049c924 00000000 00000000 00000002 613a6c00
...
Call Trace:
[<803a4488>] i2c_transfer+0x20/0x104
[<c049a1c8>] af9013_read_reg+0x78/0xc4 [af9013]
[<c049a524>] af9013_read_reg_bits+0x2c/0x70 [af9013]
[<c049c924>] af9013_attach+0x98/0x65c [af9013]
[<c04257bc>] af9015_af9013_frontend_attach+0x214/0x67c [dvb_usb_af9015]
[<c03e2428>] dvb_usb_adapter_frontend_init+0x20/0x12c [dvb_usb]
[<c03e1ad8>] dvb_usb_device_init+0x374/0x6b0 [dvb_usb]
[<c0426120>] af9015_usb_probe+0x4fc/0xfcc [dvb_usb_af9015]
[<80381024>] usb_probe_interface+0xbc/0x218
[<803227fc>] driver_probe_device+0x12c/0x30c
[<80322a80>] __driver_attach+0xa4/0xac
[<80321ed0>] bus_for_each_dev+0x60/0xd0
[<8032162c>] bus_add_driver+0x1e8/0x2a8
[<80322cdc>] driver_register+0x7c/0x17c
[<80380d30>] usb_register_driver+0xa0/0x12c
[<c042e030>] af9015_usb_module_init+0x30/0x6c [dvb_usb_af9015]
[<8010d2a4>] __kprobes_text_end+0x3c/0x1f4
[<80167150>] sys_init_module+0xb8/0x1cc
[<80102370>] stack_done+0x20/0x3c
Code: afb10018 7000003f 00808021 <8c430000> 7000003f 1060002d 00c09021
8f830014 3c02efff
Signed-off-by: Jan Nikitenko <jan.nikitenko at gmail.com>
Acked-by: Antti Palosaari <crope at iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
---
diff --git a/drivers/media/dvb/dvb-usb/af9015.c b/drivers/media/dvb/dvb-usb/af9015.c
index 9155a79..4cb31e7 100644
--- a/drivers/media/dvb/dvb-usb/af9015.c
+++ b/drivers/media/dvb/dvb-usb/af9015.c
@@ -538,7 +538,7 @@ exit:
/* dump eeprom */
static int af9015_eeprom_dump(struct dvb_usb_device *d)
{
- char buf[52], buf2[4];
+ char buf[4+3*16+1], buf2[4];
u8 reg, val;
for (reg = 0; ; reg++) {
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1716
retrieving revision 1.1717
diff -u -p -r1.1716 -r1.1717
--- kernel.spec 27 Aug 2009 18:23:32 -0000 1.1716
+++ kernel.spec 27 Aug 2009 18:52:06 -0000 1.1717
@@ -727,6 +727,9 @@ Patch14030: linux-2.6-x86-dont-call-send
# fix race in clone()
Patch14040: linux-2.6-clone-fix-race-between-copy-process-and-de-thread.patch
+# Fix string overflows found by stackprotector:
+Patch14050: hda-check-strcpy-length.patch
+Patch14060: linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1342,6 +1345,10 @@ ApplyPatch linux-2.6-x86-dont-call-send-
# fix race in clone()
ApplyPatch linux-2.6-clone-fix-race-between-copy-process-and-de-thread.patch
+# Fix string overflows found by stackprotector:
+ApplyPatch hda-check-strcpy-length.patch
+ApplyPatch linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -1927,6 +1934,11 @@ fi
# and build.
%changelog
+* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.5-38
+- Fix string overflows found by stackprotector:
+ hda-check-strcpy-length.patch
+ linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
+
* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.5-37
- Fix race in clone() syscall.
- Previous message (by thread): rpms/python-py/devel .cvsignore, 1.4, 1.5 import.log, 1.3, 1.4 python-py.spec, 1.5, 1.6 sources, 1.4, 1.5
- Next message (by thread): rpms/nss/devel nss.spec,1.98,1.99
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list