* [PATCH] sym53c416: Fix nasty memory corruption
@ 2015-03-09 22:36 Ondrej Zary
0 siblings, 0 replies; only message in thread
From: Ondrej Zary @ 2015-03-09 22:36 UTC (permalink / raw)
To: linux-scsi; +Cc: Kernel development list
In sym53c416_read(), the chip can (and does sometimes) return more bytes in
the FIFO than we want to read. This causes buffer overflow, resulting in nasty
memory and data corruption and oopses. I couldn't even read filesystem's root
directory properly (and a simple dd with 1M blocksize crashed the system)
without this patch.
Add a check to make sure we never read more bytes than required.
sym53c416_write() already contains similar check.
Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
---
drivers/scsi/sym53c416.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sym53c416.c b/drivers/scsi/sym53c416.c
index 0b7819f..76e9715 100644
--- a/drivers/scsi/sym53c416.c
+++ b/drivers/scsi/sym53c416.c
@@ -253,6 +253,8 @@ static __inline__ unsigned int sym53c416_read(int base, unsigned char *buffer, u
while(len && timeout)
{
bytes_left = inb(base + PIO_FIFO_CNT); /* Number of bytes in the PIO FIFO */
+ if (bytes_left > len)
+ bytes_left = len;
if(fastpio && bytes_left > 3)
{
insl(base + PIO_FIFO_1, buffer, bytes_left >> 2);
--
Ondrej Zary
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2015-03-09 22:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-09 22:36 [PATCH] sym53c416: Fix nasty memory corruption Ondrej Zary
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.