rpms/kernel/F-11 hda-check-strcpy-length.patch, NONE, 1.1 linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch, NONE, 1.1 kernel.spec, 1.1716, 1.1717

[Chuck Ebbert]

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23185

Modified Files:
	kernel.spec 
Added Files:
	hda-check-strcpy-length.patch 
	linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch 
Log Message:
Fix string overflows found by stackprotector:
  hda-check-strcpy-length.patch
  linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch

hda-check-strcpy-length.patch:
 hda_codec.c |    2 ++
 hda_intel.c |   10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

--- NEW FILE hda-check-strcpy-length.patch ---
From: Takashi Iwai <tiwai at suse.de>
Date: Thu, 16 Apr 2009 08:22:24 +0000 (+0200)
Subject: ALSA: hda - Check strcpy length
X-Git-Tag: v2.6.31-rc1~38^2~11^2~54
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=18cb7109d3e83195b605ff2905981020e86f72ca

ALSA: hda - Check strcpy length

Check the length to copy via strlen() beforehand to avoid the stack
corruption, or use strlcpy() to be safe in HD-audio codes.

Signed-off-by: Takashi Iwai <tiwai at suse.de>
---

diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
index 37f24ce..48f0cea 100644
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -1431,6 +1431,8 @@ _snd_hda_find_mixer_ctl(struct hda_codec *codec,
 	memset(&id, 0, sizeof(id));
 	id.iface = SNDRV_CTL_ELEM_IFACE_MIXER;
 	id.index = idx;
+	if (snd_BUG_ON(strlen(name) >= sizeof(id.name)))
+		return NULL;
 	strcpy(id.name, name);
 	return snd_ctl_find_id(codec->bus->card, &id);
 }
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index 21a3092..41db5d4 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -1830,7 +1830,7 @@ azx_attach_pcm_stream(struct hda_bus *bus, struct hda_codec *codec,
 			  &pcm);
 	if (err < 0)
 		return err;
-	strcpy(pcm->name, cpcm->name);
+	strlcpy(pcm->name, cpcm->name, sizeof(pcm->name));
 	apcm = kzalloc(sizeof(*apcm), GFP_KERNEL);
 	if (apcm == NULL)
 		return -ENOMEM;
@@ -2358,9 +2358,11 @@ static int __devinit azx_create(struct snd_card *card, struct pci_dev *pci,
 	}
 
 	strcpy(card->driver, "HDA-Intel");
-	strcpy(card->shortname, driver_short_names[chip->driver_type]);
-	sprintf(card->longname, "%s at 0x%lx irq %i",
-		card->shortname, chip->addr, chip->irq);
+	strlcpy(card->shortname, driver_short_names[chip->driver_type],
+		sizeof(card->shortname));
+	snprintf(card->longname, sizeof(card->longname),
+		 "%s at 0x%lx irq %i",
+		 card->shortname, chip->addr, chip->irq);
 
 	*rchip = chip;
 	return 0;

linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch:
 af9015.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch ---
From: Jan Nikitenko <jan.nikitenko at gmail.com>
Date: Tue, 9 Jun 2009 22:31:55 +0000 (-0300)
Subject: V4L/DVB (11999): af9015: fix stack corruption bug
X-Git-Tag: v2.6.31-rc1~297^2~58
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1e7439388a5aa6decf76ac1d73d5312fe713e6af

V4L/DVB (11999): af9015: fix stack corruption bug

This patch fixes stack corruption bug present in af9015_eeprom_dump():
the buffer buf is one byte smaller than required - there is 4 chars
for address prefix, 16*3 chars for dump of 16 eeprom bytes per line
and 1 byte for zero ending the string required, i.e. 53 bytes, but
only 52 are provided.
The one byte missing in stack based buffer buf causes following oops
on MIPS little endian platform, because i2c_adap pointer in
af9015_af9013_frontend_attach() is corrupted by inlined function
af9015_eeprom_dump():

CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc ==
803a4488, ra == c049a1c8
Oops[#1]:
Cpu 0
$ 0   : 00000000 10003c00 00000000 803a4468
$ 4   : 8f17c600 8f067b30 00000002 00000038
$ 8   : 00000001 8faf3e98 11da000d 09010002
$12   : 00000000 00000000 00000000 0000000a
$16   : 8f17c600 8f067b68 8faf3c00 8f067c04
$20   : 8f067b9c 00000100 8f067bf0 80104100
$24   : 00000000 2aba9fb0
$28   : 8f066000 8f067af0 802cbc48 c049a1c8
Hi    : 00000000
Lo    : 00000000
epc   : 803a4488 i2c_transfer+0x20/0x104
   Not tainted
ra    : c049a1c8 af9013_read_reg+0x78/0xc4 [af9013]
Status: 10003c03    KERNEL EXL IE
Cause : 00808008
BadVA : 00000000
PrId  : 03030200 (Au1550)
Modules linked in: af9013 dvb_usb_af9015(+) dvb_usb dvb_core firmware_class
i2c_au1550 au1550_spi
Process modprobe (pid: 2757, threadinfo=8f066000, task=8fade098, tls=2aad6470)
Stack : c049f5e0 80163090 805ba880 00000100 8f067bf0 0000d733 8f067b68 8faf3c00
       8f067c04 c049a1c8 80163bc0 8056a630 8f067b40 80163224 80569fc8 8f0033d7
       00000038 80140003 8f067b2c 00010038 c0420001 8f067b28 c049f5e0 00000004
       00000004 c049a524 c049d5a8 c049d5a8 00000000 803a6700 00000000 8f17c600
       c042a7a4 8f17c600 c042a7a4 c049c924 00000000 00000000 00000002 613a6c00
       ...
Call Trace:
[<803a4488>] i2c_transfer+0x20/0x104
[<c049a1c8>] af9013_read_reg+0x78/0xc4 [af9013]
[<c049a524>] af9013_read_reg_bits+0x2c/0x70 [af9013]
[<c049c924>] af9013_attach+0x98/0x65c [af9013]
[<c04257bc>] af9015_af9013_frontend_attach+0x214/0x67c [dvb_usb_af9015]
[<c03e2428>] dvb_usb_adapter_frontend_init+0x20/0x12c [dvb_usb]
[<c03e1ad8>] dvb_usb_device_init+0x374/0x6b0 [dvb_usb]
[<c0426120>] af9015_usb_probe+0x4fc/0xfcc [dvb_usb_af9015]
[<80381024>] usb_probe_interface+0xbc/0x218
[<803227fc>] driver_probe_device+0x12c/0x30c
[<80322a80>] __driver_attach+0xa4/0xac
[<80321ed0>] bus_for_each_dev+0x60/0xd0
[<8032162c>] bus_add_driver+0x1e8/0x2a8
[<80322cdc>] driver_register+0x7c/0x17c
[<80380d30>] usb_register_driver+0xa0/0x12c
[<c042e030>] af9015_usb_module_init+0x30/0x6c [dvb_usb_af9015]
[<8010d2a4>] __kprobes_text_end+0x3c/0x1f4
[<80167150>] sys_init_module+0xb8/0x1cc
[<80102370>] stack_done+0x20/0x3c

Code: afb10018  7000003f  00808021 <8c430000> 7000003f  1060002d  00c09021
8f830014  3c02efff

Signed-off-by: Jan Nikitenko <jan.nikitenko at gmail.com>
Acked-by: Antti Palosaari <crope at iki.fi>
Signed-off-by: Mauro Carvalho Chehab <mchehab at redhat.com>
---

diff --git a/drivers/media/dvb/dvb-usb/af9015.c b/drivers/media/dvb/dvb-usb/af9015.c
index 9155a79..4cb31e7 100644
--- a/drivers/media/dvb/dvb-usb/af9015.c
+++ b/drivers/media/dvb/dvb-usb/af9015.c
@@ -538,7 +538,7 @@ exit:
 /* dump eeprom */
 static int af9015_eeprom_dump(struct dvb_usb_device *d)
 {
-	char buf[52], buf2[4];
+	char buf[4+3*16+1], buf2[4];
 	u8 reg, val;
 
 	for (reg = 0; ; reg++) {


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1716
retrieving revision 1.1717
diff -u -p -r1.1716 -r1.1717
--- kernel.spec	27 Aug 2009 18:23:32 -0000	1.1716
+++ kernel.spec	27 Aug 2009 18:52:06 -0000	1.1717
@@ -727,6 +727,9 @@ Patch14030: linux-2.6-x86-dont-call-send
 # fix race in clone()
 Patch14040: linux-2.6-clone-fix-race-between-copy-process-and-de-thread.patch
 
+# Fix string overflows found by stackprotector:
+Patch14050: hda-check-strcpy-length.patch
+Patch14060: linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1342,6 +1345,10 @@ ApplyPatch linux-2.6-x86-dont-call-send-
 # fix race in clone()
 ApplyPatch linux-2.6-clone-fix-race-between-copy-process-and-de-thread.patch
 
+# Fix string overflows found by stackprotector:
+ApplyPatch hda-check-strcpy-length.patch
+ApplyPatch linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1927,6 +1934,11 @@ fi
 # and build.
 
 %changelog
+* Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.5-38
+- Fix string overflows found by stackprotector:
+  hda-check-strcpy-length.patch
+  linux-2.6-v4l-dvb-af9015-fix-stack-corruption.patch
+
 * Thu Aug 27 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.30.5-37
 - Fix race in clone() syscall.