diff options
| author | Andi Kleen <ak@linux.intel.com> | 2019-02-05 13:05:20 +1100 |
|---|---|---|
| committer | Stephen Rothwell <sfr@canb.auug.org.au> | 2019-02-06 16:25:53 +1100 |
| commit | c079194c1d2fe7190fcf04fea544f3b3a25f1741 (patch) | |
| tree | 27fc9e7988753346b4f72d51c364553004af8f6d /arch/ia64/include/asm/percpu.h | |
| parent | 5c9aaff7e415bd3b5043118a410b20918fb09a09 (diff) | |
| download | linux-next-c079194c1d2fe7190fcf04fea544f3b3a25f1741.tar.gz | |
drivers/media/platform/sti/delta/delta-ipc.c: fix read buffer overflow
The single caller passes a string to delta_ipc_open, which copies with a
fixed size larger than the string. So it copies some random data after
the original string the ro segment.
If the string was at the end of a page it may fault.
Just copy the string with a normal strcpy after clearing the field.
Found by a LTO build (which errors out)
because the compiler inlines the functions and can resolve
the string sizes and triggers the compile time checks in memcpy.
In function `memcpy',
inlined from `delta_ipc_open.constprop' at linux/drivers/media/platform/sti/delta/delta-ipc.c:178:0,
inlined from `delta_mjpeg_ipc_open' at linux/drivers/media/platform/sti/delta/delta-mjpeg-dec.c:227:0,
inlined from `delta_mjpeg_decode' at linux/drivers/media/platform/sti/delta/delta-mjpeg-dec.c:403:0:
/home/andi/lsrc/linux/include/linux/string.h:337:0: error: call to `__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
__read_overflow2();
Link: http://lkml.kernel.org/r/20171222001212.1850-1-andi@firstfloor.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Hugues FRUCHET <hugues.fruchet@st.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Diffstat (limited to 'arch/ia64/include/asm/percpu.h')
0 files changed, 0 insertions, 0 deletions