On Wed, Jul 26, 2017 at 09:13:57PM -0400, Jacob von Chorus wrote: > Four fields in struct fpgaimage are char arrays of length MAX_STR (256). > The amount of data read into these buffers is controlled by a length > field in the bitstream file read from userspace. If a corrupt or > malicious firmware file was supplied, kernel data beyond these buffers > can be overwritten arbitrarily. > > This patch adds a check of the bitstream's length value to ensure it > fits within the bounds of the allocated buffers. An error condition is > returned from gs_read_bitstream if any of the reads fail. > > Signed-off-by: Jacob von Chorus <jacobvonchorus@xxxxxxxxxx> > > v3: > - use >= to prevent an integer overflow in the comparison > - use get_unaligned_be functions to interpret length fields > - fix remainder of file to use valid error codes > > v2: > - char arrays converted to u8 arrays > - replace error return value with proper error code in > gs_read_bitstream > --- All of the v2: and such needs to go below the --- line, as Documentation/SubmittingPatches says to do. Please fix that up and resend the series. thanks, greg k-h _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
