From: Jon Smirl <jonsmirl@gmail.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Andrew Morton <akpm@osdl.org>, Linus Torvalds <torvalds@osdl.org>,
Linux Kernel Development <linux-kernel@vger.kernel.org>,
Linux Frame Buffer Device Development
<linux-fbdev-devel@lists.sourceforge.net>
Subject: Re: [PATCH] fbdev: colormap fixes
Date: Thu, 28 Jul 2005 15:31:44 -0400 [thread overview]
Message-ID: <9e473391050728123150931cbd@mail.gmail.com> (raw)
In-Reply-To: <9e473391050728074573e40038@mail.gmail.com>
Do we want to apply this patch now to get rid of the buffer overflow hole?
Then we can take our time and work out a better solution.
--
Jon Smirl
jonsmirl@gmail.com
Fix a buffer overflow vunerabilty in previous cmap patch
signed-off-by: Jon Smirl <jonsmirl@gmail.com>
diff --git a/drivers/video/fbsysfs.c b/drivers/video/fbsysfs.c
--- a/drivers/video/fbsysfs.c
+++ b/drivers/video/fbsysfs.c
@@ -244,15 +244,15 @@ static ssize_t show_virtual(struct class
/* Format for cmap is "%02x%c%4x%4x%4x\n" */
/* %02x entry %c transp %4x red %4x blue %4x green \n */
-/* 255 rows at 16 chars equals 4096 */
-/* PAGE_SIZE can be 4096 or larger */
+/* 256 rows at 16 chars equals 4096, the normal page size */
+/* the code will automatically adjust for different page sizes */
static ssize_t store_cmap(struct class_device *class_device, const char *buf,
size_t count)
{
struct fb_info *fb_info = (struct fb_info *)class_get_devdata(class_device);
int rc, i, start, length, transp = 0;
- if ((count > 4096) || ((count % 16) != 0) || (PAGE_SIZE < 4096))
+ if ((count > PAGE_SIZE) || ((count % 16) != 0))
return -EINVAL;
if (!fb_info->fbops->fb_setcolreg && !fb_info->fbops->fb_setcmap)
@@ -317,18 +317,18 @@ static ssize_t show_cmap(struct class_de
!fb_info->cmap.green)
return -EINVAL;
- if (PAGE_SIZE < 4096)
+ if (fb_info->cmap.len > PAGE_SIZE / 16)
return -EINVAL;
/* don't mess with the format, the buffer is PAGE_SIZE */
- /* 255 entries at 16 chars per line equals 4096 = PAGE_SIZE */
+ /* 256 entries at 16 chars per line equals 4096 = PAGE_SIZE */
for (i = 0; i < fb_info->cmap.len; i++) {
- sprintf(&buf[ i * 16], "%02x%c%4x%4x%4x\n", i + fb_info->cmap.start,
+ snprintf(&buf[ i * 16], PAGE_SIZE - i * 16, "%02x%c%4x%4x%4x\n", i
+ fb_info->cmap.start,
((fb_info->cmap.transp && fb_info->cmap.transp[i]) ? '*' : ' '),
fb_info->cmap.red[i], fb_info->cmap.blue[i],
fb_info->cmap.green[i]);
}
- return 4096;
+ return 16 * fb_info->cmap.len;
}
static ssize_t store_blank(struct class_device *class_device, const char * buf,
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
WARNING: multiple messages have this Message-ID (diff)
From: Jon Smirl <jonsmirl@gmail.com>
To: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Andrew Morton <akpm@osdl.org>, Linus Torvalds <torvalds@osdl.org>,
Linux Kernel Development <linux-kernel@vger.kernel.org>,
Linux Frame Buffer Device Development
<linux-fbdev-devel@lists.sourceforge.net>
Subject: Re: [PATCH] fbdev: colormap fixes
Date: Thu, 28 Jul 2005 15:31:44 -0400 [thread overview]
Message-ID: <9e473391050728123150931cbd@mail.gmail.com> (raw)
In-Reply-To: <9e473391050728074573e40038@mail.gmail.com>
Do we want to apply this patch now to get rid of the buffer overflow hole?
Then we can take our time and work out a better solution.
--
Jon Smirl
jonsmirl@gmail.com
Fix a buffer overflow vunerabilty in previous cmap patch
signed-off-by: Jon Smirl <jonsmirl@gmail.com>
diff --git a/drivers/video/fbsysfs.c b/drivers/video/fbsysfs.c
--- a/drivers/video/fbsysfs.c
+++ b/drivers/video/fbsysfs.c
@@ -244,15 +244,15 @@ static ssize_t show_virtual(struct class
/* Format for cmap is "%02x%c%4x%4x%4x\n" */
/* %02x entry %c transp %4x red %4x blue %4x green \n */
-/* 255 rows at 16 chars equals 4096 */
-/* PAGE_SIZE can be 4096 or larger */
+/* 256 rows at 16 chars equals 4096, the normal page size */
+/* the code will automatically adjust for different page sizes */
static ssize_t store_cmap(struct class_device *class_device, const char *buf,
size_t count)
{
struct fb_info *fb_info = (struct fb_info *)class_get_devdata(class_device);
int rc, i, start, length, transp = 0;
- if ((count > 4096) || ((count % 16) != 0) || (PAGE_SIZE < 4096))
+ if ((count > PAGE_SIZE) || ((count % 16) != 0))
return -EINVAL;
if (!fb_info->fbops->fb_setcolreg && !fb_info->fbops->fb_setcmap)
@@ -317,18 +317,18 @@ static ssize_t show_cmap(struct class_de
!fb_info->cmap.green)
return -EINVAL;
- if (PAGE_SIZE < 4096)
+ if (fb_info->cmap.len > PAGE_SIZE / 16)
return -EINVAL;
/* don't mess with the format, the buffer is PAGE_SIZE */
- /* 255 entries at 16 chars per line equals 4096 = PAGE_SIZE */
+ /* 256 entries at 16 chars per line equals 4096 = PAGE_SIZE */
for (i = 0; i < fb_info->cmap.len; i++) {
- sprintf(&buf[ i * 16], "%02x%c%4x%4x%4x\n", i + fb_info->cmap.start,
+ snprintf(&buf[ i * 16], PAGE_SIZE - i * 16, "%02x%c%4x%4x%4x\n", i
+ fb_info->cmap.start,
((fb_info->cmap.transp && fb_info->cmap.transp[i]) ? '*' : ' '),
fb_info->cmap.red[i], fb_info->cmap.blue[i],
fb_info->cmap.green[i]);
}
- return 4096;
+ return 16 * fb_info->cmap.len;
}
static ssize_t store_blank(struct class_device *class_device, const char * buf,
next prev parent reply other threads:[~2005-07-28 19:31 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200507280031.j6S0V3L3016861@hera.kernel.org>
2005-07-28 7:54 ` [PATCH] fbdev: colormap fixes Geert Uytterhoeven
2005-07-28 7:54 ` Geert Uytterhoeven
2005-07-28 13:07 ` Jon Smirl
2005-07-28 13:07 ` Jon Smirl
2005-07-28 13:40 ` Geert Uytterhoeven
2005-07-28 13:40 ` Geert Uytterhoeven
2005-07-28 14:50 ` Antonino A. Daplas
2005-07-28 14:50 ` [Linux-fbdev-devel] " Antonino A. Daplas
2005-07-28 15:59 ` Geert Uytterhoeven
2005-07-28 15:59 ` [Linux-fbdev-devel] " Geert Uytterhoeven
2005-07-28 16:29 ` Jon Smirl
2005-07-28 16:29 ` [Linux-fbdev-devel] " Jon Smirl
2005-07-28 18:18 ` Jon Smirl
2005-07-28 18:18 ` [Linux-fbdev-devel] " Jon Smirl
2005-07-28 20:03 ` Geert Uytterhoeven
2005-07-28 20:03 ` [Linux-fbdev-devel] " Geert Uytterhoeven
2005-07-28 20:15 ` Jon Smirl
2005-07-28 20:15 ` [Linux-fbdev-devel] " Jon Smirl
2005-07-28 20:21 ` Jon Smirl
2005-07-28 20:21 ` [Linux-fbdev-devel] " Jon Smirl
2005-07-28 20:50 ` Jon Smirl
2005-07-28 20:50 ` [Linux-fbdev-devel] " Jon Smirl
2005-07-28 21:39 ` Geert Uytterhoeven
2005-07-28 21:39 ` [Linux-fbdev-devel] " Geert Uytterhoeven
2005-07-28 21:50 ` Jon Smirl
2005-07-28 21:50 ` [Linux-fbdev-devel] " Jon Smirl
2005-07-28 22:28 ` Antonino A. Daplas
2005-07-28 22:28 ` [Linux-fbdev-devel] " Antonino A. Daplas
2005-07-29 7:43 ` Geert Uytterhoeven
2005-07-29 7:43 ` [Linux-fbdev-devel] " Geert Uytterhoeven
2005-07-29 10:34 ` Jon Smirl
2005-07-29 10:34 ` [Linux-fbdev-devel] " Jon Smirl
2005-07-29 20:20 ` James Simmons
2005-07-29 20:20 ` [Linux-fbdev-devel] " James Simmons
2005-07-28 23:19 ` Antonino A. Daplas
2005-07-28 23:19 ` [Linux-fbdev-devel] " Antonino A. Daplas
2005-07-29 20:13 ` James Simmons
2005-07-29 20:13 ` [Linux-fbdev-devel] " James Simmons
2005-07-28 14:45 ` Jon Smirl
2005-07-28 14:45 ` Jon Smirl
2005-07-28 15:56 ` Geert Uytterhoeven
2005-07-28 15:56 ` Geert Uytterhoeven
2005-07-28 19:31 ` Jon Smirl [this message]
2005-07-28 19:31 ` Jon Smirl
2005-07-28 20:04 ` Geert Uytterhoeven
2005-07-28 20:04 ` Geert Uytterhoeven
2005-07-28 22:16 ` Antonino A. Daplas
2005-07-28 22:16 ` [Linux-fbdev-devel] " Antonino A. Daplas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9e473391050728123150931cbd@mail.gmail.com \
--to=jonsmirl@gmail.com \
--cc=akpm@osdl.org \
--cc=geert@linux-m68k.org \
--cc=linux-fbdev-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.