On Tue, May 05, 2015 at 06:36:18PM -0400, Benjamin Romer wrote:
> From: Prarit Bhargava <prarit@xxxxxxxxxx>
>
> Just some cleanups for visorchannel.c, and removal of
> safe_sig_queue_validate() which is dead code.
>
> Signed-off-by: Prarit Bhargava <prarit@xxxxxxxxxx>
> Signed-off-by: Benjamin Romer <benjamin.romer@xxxxxxxxxx>
> ---
> drivers/staging/unisys/visorbus/visorchannel.c | 110 +++++++++----------------
> 1 file changed, 41 insertions(+), 69 deletions(-)
>
> diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c
> index ff14a0d..30bedcc 100644
> --- a/drivers/staging/unisys/visorbus/visorchannel.c
> +++ b/drivers/staging/unisys/visorbus/visorchannel.c
> @@ -211,13 +211,12 @@ int
> visorchannel_read(struct visorchannel *channel, ulong offset,
> void *local, ulong nbytes)
> {
> - int rc = visor_memregion_read(channel->memregion, offset,
> - local, nbytes);
> - if ((rc >= 0) && (offset == 0) &&
> - (nbytes >= sizeof(struct channel_header))) {
> - memcpy(&channel->chan_hdr, local,
> - sizeof(struct channel_header));
> - }
> + int rc;
> + size_t size = sizeof(struct channel_header);
> +
> + rc = visor_memregion_read(channel->memregion, offset, local, nbytes);
> + if (rc && !offset && (nbytes >= size))
> + memcpy(&channel->chan_hdr, local, size);
> return rc;
> }
This function is decidedly odd.
So if visor_memregion_read() fails (which can only happy if we try to
read too much data) and offset is zero and nbytes is too large then we
corrupt memory and return failure. Woohoo!
Fortunately the only place which can call this with invalid nbytes is
visorchannel_dump_section() and that seems to be dead code.
visorchannel_write() has the same issues but there are no callers which
pass invalid "nbytes".
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
