[PATCH 1/3] sc16is7xx: Prevent TX buffer overrun, prevent crash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If the chip wrongly reports a TX FIFO space, bigger than the driver's
buffer, it runs over when copying from the uart_port's buffer to the
driver's. The overrun then destroys the struct sc16is7xx_port, its
struct kworker, and very likely a lot more.
For us, this lead to the immediate crash of the driver's kworker thread.

Prevent a buffer overrun by adding a length check, and thus, no longer
allow a peripheral device to crash the kernel.

Signed-off-by: Florian Achleitner <achleitner.florian@xxxxxxxxxxx>
---
 drivers/tty/serial/sc16is7xx.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
index 02f37dc..9d2ea01 100644
--- a/drivers/tty/serial/sc16is7xx.c
+++ b/drivers/tty/serial/sc16is7xx.c
@@ -631,6 +631,13 @@ static void sc16is7xx_handle_tx(struct uart_port *port)
 		/* Limit to size of TX FIFO */
 		txlen = sc16is7xx_port_read(port, SC16IS7XX_TXLVL_REG);
 		to_send = (to_send > txlen) ? txlen : to_send;
+		/*
+		 * Prevent buffer overrun if reported txlen is flawed
+		 * Limit to the maximum size to the size of s->buf, which
+		 * is the same as the chips fifo size.
+		 */
+		to_send = (to_send > SC16IS7XX_FIFO_SIZE) ?
+				SC16IS7XX_FIFO_SIZE : to_send;
 
 		/* Add data to send */
 		port->icount.tx += to_send;
-- 
2.5.0


--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux PPP]     [Linux FS]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Linmodem]     [Device Mapper]     [Linux Kernel for ARM]

  Powered by Linux