Re: [PATCH] input: spi: Driver for SPI data stream driven vibrator

From: Alan Cox
Date: Mon Nov 08 2010 - 06:40:39 EST


On Mon, 8 Nov 2010 12:08:07 +0100
<ilkka.koskinen@xxxxxxxxx> wrote:

> Hi,
>
> >From: ext Alan Cox [mailto:alan@xxxxxxxxxxxxxxxxxxx]
> >Sent: 08 November, 2010 01:52
> >
> >> + datalen = p->custom_len * sizeof(p->custom_data[0]);
> >
> >signed
> >
> >> + if (datalen > MAX_EFFECT_SIZE) {
> >
> >unsigned
>
> It should be unsigned. I'll fix it.
>
> >> + memcpy(einfo->buf, p->custom_data, datalen);
> >
> >ungood
>
> Yep, that's clearly wrong too. Should be copy_from_user() I suppose.

That I hadn't considered - and I'm not sure whether the caller is passed
a kernel copy or not. The problem I was looking at was just the signed
case

datalen < 0
if (datalen > MAX ..)
Nope

memcpy(kernel, mysource, vastly more than intended (unsigned))

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/