[PATCH 3.5 06/60] [media] mxl111sf: Fix unintentional garbage stack read

From: Luis Henriques
Date: Fri Feb 21 2014 - 08:24:54 EST

Next message: Luis Henriques: "[PATCH 3.5 10/60] SELinux: Fix kernel BUG on empty security contexts."
Previous message: Russell King - ARM Linux: "Re: [PATCH] ARM: EDMA: Use platform_get_resource functions for DT"
In reply to: Luis Henriques: "[PATCH 3.5 11/60] pinctrl: do not init debugfs entries for unimplemented functionalities"
Next in thread: Luis Henriques: "[PATCH 3.5 10/60] SELinux: Fix kernel BUG on empty security contexts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.5.7.31 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Dave Jones <davej@xxxxxxxxxxxxxxxxx>

commit 866e8d8a9dc1ebb4f9e67197e264ac2df81f7d4b upstream.

mxl111sf_read_reg takes an address of a variable to write to as an argument.
drivers/media/usb/dvb-usb-v2/mxl111sf-gpio.c:mxl111sf_config_pin_mux_modes
passes several uninitialized stack variables to this routine, expecting
them to be filled in. In the event that something unexpected happens when
reading from the chip, we end up doing a pr_debug of the value passed in,
revealing whatever garbage happened to be on the stack.

Change the pr_debug to match what happens in the 'success' case, where we
assign buf[1] to *data.

Spotted with Coverity (Bugs 731910 through 731917)

Signed-off-by: Dave Jones <davej@xxxxxxxxxxxxxxxxx>
Signed-off-by: Michael Krufky <mkrufky@xxxxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@xxxxxxxxxxx>
[ luis: backported to 3.5:
- file rename: drivers/media/usb/dvb-usb-v2/mxl111sf.c ->
drivers/media/dvb/dvb-usb/mxl111sf.c
- replaced pr_debug() by deb_reg() ]
Signed-off-by: Luis Henriques <luis.henriques@xxxxxxxxxxxxx>
---
drivers/media/dvb/dvb-usb/mxl111sf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/dvb/dvb-usb/mxl111sf.c b/drivers/media/dvb/dvb-usb/mxl111sf.c
index cd84279..086fb8a 100644
--- a/drivers/media/dvb/dvb-usb/mxl111sf.c
+++ b/drivers/media/dvb/dvb-usb/mxl111sf.c
@@ -101,7 +101,7 @@ int mxl111sf_read_reg(struct mxl111sf_state *state, u8 addr, u8 *data)
ret = -EINVAL;
}

- deb_reg("R: (0x%02x, 0x%02x)\n", addr, *data);
+ deb_reg("R: (0x%02x, 0x%02x)\n", addr, buf[1]);
fail:
return ret;
}
--
1.9.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Luis Henriques: "[PATCH 3.5 10/60] SELinux: Fix kernel BUG on empty security contexts."
Previous message: Russell King - ARM Linux: "Re: [PATCH] ARM: EDMA: Use platform_get_resource functions for DT"
In reply to: Luis Henriques: "[PATCH 3.5 11/60] pinctrl: do not init debugfs entries for unimplemented functionalities"
Next in thread: Luis Henriques: "[PATCH 3.5 10/60] SELinux: Fix kernel BUG on empty security contexts."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]