Re: [PATCH] zl10353 and qt1010: fix stack corruption bug

[Antti Palosaari <crope@iki.fi>]

Hei Jan,

On 06/10/2009 09:21 AM, Jan Nikitenko wrote:
> This patch fixes stack corruption bug present in dump_regs function of
> zl10353 and qt1010 drivers:
> the buffer buf is one byte smaller than required - there is 4 chars
> for address prefix, 16*3 chars for dump of 16 eeprom bytes per line
> and 1 byte for zero ending the string required, i.e. 53 bytes, but
> only 52 were provided.
> The one byte missing in stack based buffer buf can cause stack
> corruption possibly leading to kernel oops, as discovered originally
> with af9015 driver.
>
> Signed-off-by: Jan Nikitenko <jan.nikitenko@gmail.com>
>
> ---
>
> Antti Palosaari wrote:
>  > On 06/10/2009 01:39 AM, Jan Nikitenko wrote:
>  >> Solved with "[PATCH] af9015: fix stack corruption bug".
>  >
>  > This error leads to the zl10353.c and there it was copied to qt1010.c
>  > and af9015.c.
>  >
> Antti, thanks for pointing out that the same problem was also in
> zl10353.c and qt1010.c. Include your Sign-off-by, please.

I tried to test that patch (from patchwork) to ensure it is OK before 
ack, but I found it does not apply for reason or other. It looks correct 
for my eyes. Please check what's wrong and apply new patch.

[crope@localhost v4l-dvb]$ patch -p1 < 
af9015-fix-stack-corruption-bug.patch
patching file linux/drivers/media/dvb/dvb-usb/af9015.c
[crope@localhost v4l-dvb]$ patch -p1 < 
zl10353-and-qt1010-fix-stack-corruption-bug.patch
patching file linux/drivers/media/common/tuners/qt1010.c
Hunk #1 FAILED at 65.
1 out of 1 hunk FAILED -- saving rejects to file 
linux/drivers/media/common/tuners/qt1010.c.rej
patching file linux/drivers/media/dvb/frontends/zl10353.c
Hunk #1 FAILED at 102.
1 out of 1 hunk FAILED -- saving rejects to file 
linux/drivers/media/dvb/frontends/zl10353.c.rej
[crope@localhost v4l-dvb]$ hg diff
diff -r 148b4c93a728 linux/drivers/media/dvb/dvb-usb/af9015.c
--- a/linux/drivers/media/dvb/dvb-usb/af9015.c	Mon Jun 15 14:15:33 2009 
-0300
+++ b/linux/drivers/media/dvb/dvb-usb/af9015.c	Mon Jun 15 21:55:55 2009 
+0300
@@ -541,7 +541,7 @@
  /* dump eeprom */
  static int af9015_eeprom_dump(struct dvb_usb_device *d)
  {
-	char buf[52], buf2[4];
+	char buf[4+3*16+1], buf2[4];
  	u8 reg, val;

  	for (reg = 0; ; reg++) {
[crope@localhost v4l-dvb]$ hg head
changeset:   11978:148b4c93a728
tag:         tip
parent:      11975:144d8d0cebc5
parent:      11977:8b416ba3ac89
user:        Mauro Carvalho Chehab <mchehab@redhat.com>
date:        Mon Jun 15 14:15:33 2009 -0300
summary:     merge: http://www.linuxtv.org/hg/~dougsland/em28xx

regards
Antti
-- 
http://palosaari.fi/