Patch "spi: spidev_test: Fix buffer overflow in unescape()" has been added to the 4.8-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    spi: spidev_test: Fix buffer overflow in unescape()

to the 4.8-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     spi-spidev_test-fix-buffer-overflow-in-unescape.patch
and it can be found in the queue-4.8 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 0278b34bf15f8d8a609595b15909cd8622dd64ca Mon Sep 17 00:00:00 2001
From: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
Date: Fri, 9 Sep 2016 09:02:51 +0200
Subject: spi: spidev_test: Fix buffer overflow in unescape()

From: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>

commit 0278b34bf15f8d8a609595b15909cd8622dd64ca upstream.

Sometimes spidev_test crashes with:

    *** Error in `spidev_test': munmap_chunk(): invalid pointer: 0x00022020 ***
    Aborted

or just

    Segmentation fault

This is due to transfer_escaped_string() miscalculating the required
size of the buffer by one byte, causing a buffer overflow in unescape().

Drop the bogus "+ 1" in the strlen() parameter to fix this.

Note that unescape() never copies the zero-terminator of the source
string, so it writes at most as many bytes as the length of the source
string.

Fixes: 30061915be6e3a2c (spi: spidev_test: Added input buffer from the terminal)
Signed-off-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 tools/spi/spidev_test.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/spi/spidev_test.c
+++ b/tools/spi/spidev_test.c
@@ -284,7 +284,7 @@ static void parse_opts(int argc, char *a
 
 static void transfer_escaped_string(int fd, char *str)
 {
-	size_t size = strlen(str + 1);
+	size_t size = strlen(str);
 	uint8_t *tx;
 	uint8_t *rx;
 


Patches currently in stable-queue which might be from geert+renesas@xxxxxxxxx are

queue-4.8/spi-spidev_test-fix-buffer-overflow-in-unescape.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]