From patchwork Sun Nov 10 18:38:38 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michal Nazarewicz X-Patchwork-Id: 3165761 Return-Path: X-Original-To: patchwork-linux-fbdev@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 93CF5C045C for ; Sun, 10 Nov 2013 18:39:01 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B4CF92035D for ; Sun, 10 Nov 2013 18:39:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DD3DC2035C for ; Sun, 10 Nov 2013 18:38:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752323Ab3KJSiu (ORCPT ); Sun, 10 Nov 2013 13:38:50 -0500 Received: from mail-ea0-f177.google.com ([209.85.215.177]:45505 "EHLO mail-ea0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752275Ab3KJSio (ORCPT ); Sun, 10 Nov 2013 13:38:44 -0500 Received: by mail-ea0-f177.google.com with SMTP id f15so2191597eak.8 for ; Sun, 10 Nov 2013 10:38:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding; bh=74eFQrbAHYVZWpdySUlbZ3mzlsGSrkW1xPMxaUBoI68=; b=aMAzpD/ZVoY90+6vQInATUWg/CvVECrVZ6q0abzIzKLRvIGkQGRSqb7tFq826HQbLE 0iEVH8vXCeRLZTZ2y3xG4qjkDeWk3Lm6aELDjyekDH0L75KodLTW1EwbOtRmDeRnWGuq xZhdzyOh5Tw7zxIvnZp3p+32xGDJp+7G3r60d5puRegdqk1vm28D0u8cojP928Fh60Yu WxFYEaQBwQySB8QQhZY+1ORGuHyral3jKr2+bhe+W45ImPwi1WDE650+KLS/QDQ9mzaB gU0R03ACNMBFo3w+XdnvKjsC2amk/oWE9ioOR85VLsralaiUAtZkOEZ+KoOoR4wbNlnZ UPhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-type:content-transfer-encoding; bh=74eFQrbAHYVZWpdySUlbZ3mzlsGSrkW1xPMxaUBoI68=; b=AhIvM6HEjP5yWPqYa9uLnSYZtWmUu0J16mDxF5Y4y5iuCltuxQyhwj4VBSXCBCliuS 7KowsTS+ob6rqea5TgWcgYCHiSWpbhtL4hMjSH3jQnaQOKrkmqxAKourjT9joXmhuZ9b vppIKM4dBVsp451Yc5zgoxH15ay2ZlJpjACHurtcaLDJGUyyMECQe+iF5dT93AmGwfhF BkYAYLfCZy7Jq22h3hlYjV+bF+cK2aKO+NJtfynHsX5ewen06fq81qxRkNRYlREUzsVD s9hG5aj1+XN00q0T5HwcS+TDhHcXBbxQFZaVrnporYh/H9vd9b13lobu047ZbRk/kk7V V4SQ== X-Gm-Message-State: ALoCoQlP227FIEsNaby5ZajrFg036Owiultq+2ivdMC5k7eoN0ulI16BJNBg1CuXsvu4R08zeYbAwL77crzK3GdN1YhkIVVg4cX4TsQ8G9uyCKIe879UsiNjn+w7ZcNAC2Gg03xytkSPTdSnj9vvq/LTO8kmumqTwKjJTd+657XZLuts/pLoKqOCNd/ErxArn0nXRFvJzNOb6bEutbitB+dCAamUZHIGGQ== X-Received: by 10.15.76.8 with SMTP id m8mr302233eey.86.1384108723236; Sun, 10 Nov 2013 10:38:43 -0800 (PST) Received: from mpn-glaptop.zrh.mina86.com (178-82-34-113.dynamic.hispeed.ch. [178.82.34.113]) by mx.google.com with ESMTPSA id b42sm52396406eem.9.2013.11.10.10.38.41 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 10 Nov 2013 10:38:42 -0800 (PST) From: Michal Nazarewicz To: Jean-Christophe Plagniol-Villard , Tomi Valkeinen Cc: linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] drivers: video: metronomefb: avoid out-of-bounds array access Date: Sun, 10 Nov 2013 19:38:38 +0100 Message-Id: <1384108718-23637-1-git-send-email-mpn@google.com> X-Mailer: git-send-email 1.8.4.1 MIME-Version: 1.0 Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Michal Nazarewicz load_waveform function checks whether padding bytes in stuff2a and stuff2b are all zero, but does so by treating those arrays as a single longer array. Since the structure is packed, and the size sum matches, it all works, but creates some confusion in the code. This commit changes the stuff2a and stuff2b arrays into pad1 and pad2 fields such that they cover the same bytes as the arrays covered, and changes the check in the load_waveform function so that the fields are read instead of iterating over an arary. It also renames the other “stuff” fields to “ignore*” fields to give them more semantic meaning. --- drivers/video/metronomefb.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/drivers/video/metronomefb.c b/drivers/video/metronomefb.c index 195cc2d..4f36a2b 100644 --- a/drivers/video/metronomefb.c +++ b/drivers/video/metronomefb.c @@ -126,7 +126,7 @@ static struct fb_var_screeninfo metronomefb_var = { /* the waveform structure that is coming from userspace firmware */ struct waveform_hdr { - u8 stuff[32]; + u8 ignore1[32]; u8 wmta[3]; u8 fvsn; @@ -134,13 +134,14 @@ struct waveform_hdr { u8 luts; u8 mc; u8 trc; - u8 stuff3; + u8 ignore2; u8 endb; u8 swtb; - u8 stuff2a[2]; + u32 pad1; /* u16 halfof(pad1) */ - u8 stuff2b[3]; + /* u16 halfof(pad1) */ + u8 pad2; u8 wfm_cs; } __attribute__ ((packed)); @@ -210,11 +211,9 @@ static int load_waveform(u8 *mem, size_t size, int m, int t, } wfm_hdr->mc += 1; wfm_hdr->trc += 1; - for (i = 0; i < 5; i++) { - if (*(wfm_hdr->stuff2a + i) != 0) { - dev_err(dev, "Error: unexpected value in padding\n"); - return -EINVAL; - } + if (wfm_hdr->pad1 || wfm_hdr->pad2) { + dev_err(dev, "Error: unexpected value in padding\n"); + return -EINVAL; } /* calculating trn. trn is something used to index into