From patchwork Sat Oct 26 14:58:48 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michal Nazarewicz X-Patchwork-Id: 3098471 Return-Path: X-Original-To: patchwork-linux-fbdev@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 5F6CDBF924 for ; Sat, 26 Oct 2013 14:59:19 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 7708820266 for ; Sat, 26 Oct 2013 14:59:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9ABBA20250 for ; Sat, 26 Oct 2013 14:59:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751774Ab3JZO7Q (ORCPT ); Sat, 26 Oct 2013 10:59:16 -0400 Received: from mail-wi0-f170.google.com ([209.85.212.170]:55913 "EHLO mail-wi0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751355Ab3JZO7P (ORCPT ); Sat, 26 Oct 2013 10:59:15 -0400 Received: by mail-wi0-f170.google.com with SMTP id l12so2119020wiv.5 for ; Sat, 26 Oct 2013 07:59:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding; bh=FWHSgC+imRxsS5jJmeHixRlwU+A3k9JdxYknB+XqZVA=; b=jXV020sWnQZbs+FCASROyVBoK1Hy2oTMJI1cANBPsWjfbMsDKBvb81QX6f31I/n4lP cpVHs6IsQ6fq6HZZFzjYXjalTVXf1yYkI8cZhNgbor5A+JmBnnIWBwknEM3vdHyyP7xz Yoj8avjd8gxUozwetlRUOMaA7Tib6mVyIJAYVw3UdQddQmzUeQFa406UR66vjgGhm5ud eVygxmF4bsuZbK84xbx6v+Mu7GbhGLmQE/7N9+K644pZcqHmDItYafHi8qA8a2FEAeS9 3M8KIOsqpys3YHXZWu0lNqmAoe4IVBcrMoHQcu9WXvm+gBNsN/N2bKFCCaCd7EkEot1m w5mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-type:content-transfer-encoding; bh=FWHSgC+imRxsS5jJmeHixRlwU+A3k9JdxYknB+XqZVA=; b=c6Cua2HAKJ2rXaLJhqECQDjjNH7M/5jiQyKYmz2DZIkj3YE1y8nNlsMGa5zHa+fmdv kMTF5Gm+WWxN7Q8aN7LSbUdYuqE4NHdNwKCJNXuypzuQA3+wZwR6v4f3KeMy5gdEE6Jv CEtYp62Q15PAQqmO4Dw6YaoqLl42wuf9UW+fvoTu3SHBQ8fGsYa5Y0xdivC436N5k5D0 hPStcXih7zEFsPR67hafjJrgTbpUFKtyWapt9J79/2o49J1WyKK/uerZy94adyK1iG8v txAeqPKm0tFwSi63SQ8xCIU5HRxAsn7tU8pYg7oISy4fmI1J5ZHbbvwEl6Olr8zmgXU6 ZqWg== X-Gm-Message-State: ALoCoQldII5HXC8zPzuSScT7lgdcXuTlkAiH4cPUsDDvfR4eCTN3lb0mQFGCeIbgFIV/aULRdF3/O6jxCWc+2ZnlDofQ6d805l+adOxZRo9hZ+vYK3fFwTXmWAQHFWVd9gBsDvOxqvmIRpadpAW+9b0DsbQUYbW79xDljoTE6cphXsc3F6m7gBps16ZeVdu28arLqlxELaCA5GXLmHVPp4UJa6jNMwd7Xw== X-Received: by 10.180.221.106 with SMTP id qd10mr2545471wic.57.1382799554085; Sat, 26 Oct 2013 07:59:14 -0700 (PDT) Received: from mpn-glaptop.roam.corp.google.com ([31.221.87.87]) by mx.google.com with ESMTPSA id fb4sm16736773wib.8.2013.10.26.07.59.12 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 26 Oct 2013 07:59:13 -0700 (PDT) From: Michal Nazarewicz To: Jean-Christophe Plagniol-Villard , Tomi Valkeinen Cc: linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] drivers: video: metronomefb: avoid out-of-bounds array access Date: Sat, 26 Oct 2013 15:58:48 +0100 Message-Id: <3c610da0d5b555453d5295aae720042f1c065cab.1382791126.git.mina86@mina86.com> X-Mailer: git-send-email 1.8.4 MIME-Version: 1.0 Sender: linux-fbdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fbdev@vger.kernel.org X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Michal Nazarewicz load_waveform function checks whether padding bytes in stuff2a and stuff2b are all zero, but does so by treating those arrays as a single longer array. Since the structure is packed, and the size sum matches, it all works, but creates some confusion in the code. This commit changes the stuff2a and stuff2b arrays into pad1 and pad2 fields such that they cover the same bytes as the arrays covered, and changes the check in the load_waveform function so that the fields are read instead of iterating over an arary. It also renames the other “stuff” fields to “ignore*” fields to give them more semantic meaning. Signed-off-by: Michal Nazarewicz --- drivers/video/metronomefb.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/drivers/video/metronomefb.c b/drivers/video/metronomefb.c index f30150d..44ef8b0 100644 --- a/drivers/video/metronomefb.c +++ b/drivers/video/metronomefb.c @@ -126,7 +126,7 @@ static struct fb_var_screeninfo metronomefb_var = { /* the waveform structure that is coming from userspace firmware */ struct waveform_hdr { - u8 stuff[32]; + u8 ignore1[32]; u8 wmta[3]; u8 fvsn; @@ -134,13 +134,14 @@ struct waveform_hdr { u8 luts; u8 mc; u8 trc; - u8 stuff3; + u8 ignore2; u8 endb; u8 swtb; - u8 stuff2a[2]; + u32 pad1; /* u16 halfof(pad1) */ - u8 stuff2b[3]; + /* u16 halfof(pad1) */ + u8 pad2; u8 wfm_cs; } __attribute__ ((packed)); @@ -210,11 +211,9 @@ static int load_waveform(u8 *mem, size_t size, int m, int t, } wfm_hdr->mc += 1; wfm_hdr->trc += 1; - for (i = 0; i < 5; i++) { - if (*(wfm_hdr->stuff2a + i) != 0) { - dev_err(dev, "Error: unexpected value in padding\n"); - return -EINVAL; - } + if (wfm_hdr->pad1 || wfm_hdr->pad2) { + dev_err(dev, "Error: unexpected value in padding\n"); + return -EINVAL; } /* calculating trn. trn is something used to index into