From patchwork Thu Jun 18 11:11:57 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Nikitenko X-Patchwork-Id: 31102 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n5IBBKfK021212 for ; Thu, 18 Jun 2009 11:11:21 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756314AbZFRLLP (ORCPT ); Thu, 18 Jun 2009 07:11:15 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1757410AbZFRLLP (ORCPT ); Thu, 18 Jun 2009 07:11:15 -0400 Received: from mail-bw0-f213.google.com ([209.85.218.213]:42744 "EHLO mail-bw0-f213.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756314AbZFRLLO (ORCPT ); Thu, 18 Jun 2009 07:11:14 -0400 Received: by bwz9 with SMTP id 9so973842bwz.37 for ; Thu, 18 Jun 2009 04:11:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=KfxrNz9PU9OyNK5Y7icKxfnELiq4nMH7NvxvlM1zNgw=; b=VqPpaYWMbX0ErCjBmNMNw/7lxF2pN7+x/iy6ZMXIqIREHIxHUTapoYYvVr1qm2wP9z Xq4IFzUtyvT5FIKnVolgTtmCCVcYuyzNzyCLCkdrgkO3sW4ylhCg1v6nLxkzz/SDJ1LB OLSLjZk60kReYjs8bBdNluAt0PLXjrJtfwBmo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=ayj1/ODaC1P+MSUaRc8CkeUN2o7Y2+8oHEIqM2j9b0g1PmIjxpPBcri0zcCgNlylUI vdxtS8tgLQcV4Ij4BtrDCkv3gjUeml5gu4oncI7Nnlap5gvBBG8b/SfFBEVvIy3+hnkh a4hlooEpLJXjdgQdp7RQtj+MYPF6izavGn3Yg= Received: by 10.204.71.82 with SMTP id g18mr1237983bkj.120.1245323476082; Thu, 18 Jun 2009 04:11:16 -0700 (PDT) Received: from localhost ([193.179.131.38]) by mx.google.com with ESMTPS id 9sm3413806fks.28.2009.06.18.04.11.15 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 18 Jun 2009 04:11:15 -0700 (PDT) Date: Thu, 18 Jun 2009 13:11:57 +0200 From: Jan Nikitenko To: Mauro Carvalho Chehab Cc: linux-media@vger.kernel.org, Antti Palosaari , Christopher Pascoe Subject: [PATCH v2] zl10353 and qt1010: fix stack corruption bug Message-ID: <20090618111157.GB9575@nikitenko.systek.local> References: <4A28CEAD.9000000@gmail.com> <20090616155937.3f5d869d@pedra.chehab.org> <4A38DA79.70707@gmail.com> <200906171426.29468.zzam@gentoo.org> <20090617101845.425f9249@pedra.chehab.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20090617101845.425f9249@pedra.chehab.org> User-Agent: Mutt/1.5.16 (2007-06-09) Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org This patch fixes stack corruption bug present in dump_regs function of zl10353 and qt1010 drivers: the buffer buf was one byte smaller than required - there are 4 chars for address prefix, 16 * 3 chars for dump of 16 eeprom bytes per line and 1 byte for zero ending the string required, i.e. 53 bytes, but only 52 were provided. The one byte missing in stack based buffer buf can cause stack corruption possibly leading to kernel oops, as discovered originally with af9015 driver (af9015: fix stack corruption bug). This is second version of the patch for zl10353 and qt1010 that uses continual printk instead of stack based buffer with proper magic number size. Signed-off-by: Jan Nikitenko --- linux/drivers/media/common/tuners/qt1010.c | 12 +++++------- linux/drivers/media/dvb/frontends/zl10353.c | 12 +++++------- 2 files changed, 10 insertions(+), 14 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff -r 722c6faf3ab5 linux/drivers/media/common/tuners/qt1010.c --- a/linux/drivers/media/common/tuners/qt1010.c Wed Jun 17 22:39:23 2009 -0300 +++ b/linux/drivers/media/common/tuners/qt1010.c Thu Jun 18 08:49:58 2009 +0200 @@ -65,24 +65,22 @@ /* dump all registers */ static void qt1010_dump_regs(struct qt1010_priv *priv) { - char buf[52], buf2[4]; u8 reg, val; for (reg = 0; ; reg++) { if (reg % 16 == 0) { if (reg) - printk("%s\n", buf); - sprintf(buf, "%02x: ", reg); + printk(KERN_CONT "\n"); + printk(KERN_DEBUG "%02x:", reg); } if (qt1010_readreg(priv, reg, &val) == 0) - sprintf(buf2, "%02x ", val); + printk(KERN_CONT " %02x", val); else - strcpy(buf2, "-- "); - strcat(buf, buf2); + printk(KERN_CONT " --"); if (reg == 0x2f) break; } - printk("%s\n", buf); + printk(KERN_CONT "\n"); } static int qt1010_set_params(struct dvb_frontend *fe, diff -r 722c6faf3ab5 linux/drivers/media/dvb/frontends/zl10353.c --- a/linux/drivers/media/dvb/frontends/zl10353.c Wed Jun 17 22:39:23 2009 -0300 +++ b/linux/drivers/media/dvb/frontends/zl10353.c Thu Jun 18 08:49:58 2009 +0200 @@ -102,7 +102,6 @@ static void zl10353_dump_regs(struct dvb_frontend *fe) { struct zl10353_state *state = fe->demodulator_priv; - char buf[52], buf2[4]; int ret; u8 reg; @@ -110,19 +109,18 @@ for (reg = 0; ; reg++) { if (reg % 16 == 0) { if (reg) - printk(KERN_DEBUG "%s\n", buf); - sprintf(buf, "%02x: ", reg); + printk(KERN_CONT "\n"); + printk(KERN_DEBUG "%02x:", reg); } ret = zl10353_read_register(state, reg); if (ret >= 0) - sprintf(buf2, "%02x ", (u8)ret); + printk(KERN_CONT " %02x", (u8)ret); else - strcpy(buf2, "-- "); - strcat(buf, buf2); + printk(KERN_CONT " --"); if (reg == 0xff) break; } - printk(KERN_DEBUG "%s\n", buf); + printk(KERN_CONT "\n"); } #endif