From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jon Smirl Subject: Re: [PATCH] fbdev: colormap fixes Date: Thu, 28 Jul 2005 15:31:44 -0400 Message-ID: <9e473391050728123150931cbd@mail.gmail.com> References: <200507280031.j6S0V3L3016861@hera.kernel.org> <9e473391050728074573e40038@mail.gmail.com> Reply-To: linux-fbdev-devel@lists.sourceforge.net Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Received: from sc8-sf-mx2-b.sourceforge.net ([10.3.1.92] helo=mail.sourceforge.net) by sc8-sf-list1.sourceforge.net with esmtp (Exim 4.30) id 1DyE6k-000102-BT for linux-fbdev-devel@lists.sourceforge.net; Thu, 28 Jul 2005 12:31:54 -0700 Received: from wproxy.gmail.com ([64.233.184.194]) by mail.sourceforge.net with esmtp (Exim 4.44) id 1DyE6j-0002vg-1h for linux-fbdev-devel@lists.sourceforge.net; Thu, 28 Jul 2005 12:31:54 -0700 Received: by wproxy.gmail.com with SMTP id 36so468887wra for ; Thu, 28 Jul 2005 12:31:45 -0700 (PDT) In-Reply-To: <9e473391050728074573e40038@mail.gmail.com> Content-Disposition: inline Sender: linux-fbdev-devel-admin@lists.sourceforge.net Errors-To: linux-fbdev-devel-admin@lists.sourceforge.net List-Unsubscribe: , List-Id: List-Post: List-Help: List-Subscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Geert Uytterhoeven Cc: Andrew Morton , Linus Torvalds , Linux Kernel Development , Linux Frame Buffer Device Development Do we want to apply this patch now to get rid of the buffer overflow hole? Then we can take our time and work out a better solution. --=20 Jon Smirl jonsmirl@gmail.com Fix a buffer overflow vunerabilty in previous cmap patch signed-off-by: Jon Smirl diff --git a/drivers/video/fbsysfs.c b/drivers/video/fbsysfs.c --- a/drivers/video/fbsysfs.c +++ b/drivers/video/fbsysfs.c @@ -244,15 +244,15 @@ static ssize_t show_virtual(struct class =20 /* Format for cmap is "%02x%c%4x%4x%4x\n" */ /* %02x entry %c transp %4x red %4x blue %4x green \n */ -/* 255 rows at 16 chars equals 4096 */ -/* PAGE_SIZE can be 4096 or larger */ +/* 256 rows at 16 chars equals 4096, the normal page size */ +/* the code will automatically adjust for different page sizes */ static ssize_t store_cmap(struct class_device *class_device, const char *b= uf, =09=09=09 size_t count) { =09struct fb_info *fb_info =3D (struct fb_info *)class_get_devdata(class_d= evice); =09int rc, i, start, length, transp =3D 0; =20 -=09if ((count > 4096) || ((count % 16) !=3D 0) || (PAGE_SIZE < 4096)) +=09if ((count > PAGE_SIZE) || ((count % 16) !=3D 0)) =09=09return -EINVAL; =20 =09if (!fb_info->fbops->fb_setcolreg && !fb_info->fbops->fb_setcmap) @@ -317,18 +317,18 @@ static ssize_t show_cmap(struct class_de =09 !fb_info->cmap.green) =09=09return -EINVAL; =20 -=09if (PAGE_SIZE < 4096) +=09if (fb_info->cmap.len > PAGE_SIZE / 16) =09=09return -EINVAL; =20 =09/* don't mess with the format, the buffer is PAGE_SIZE */ -=09/* 255 entries at 16 chars per line equals 4096 =3D PAGE_SIZE */ +=09/* 256 entries at 16 chars per line equals 4096 =3D PAGE_SIZE */ =09for (i =3D 0; i < fb_info->cmap.len; i++) { -=09=09sprintf(&buf[ i * 16], "%02x%c%4x%4x%4x\n", i + fb_info->cmap.start, +=09=09snprintf(&buf[ i * 16], PAGE_SIZE - i * 16, "%02x%c%4x%4x%4x\n", i + fb_info->cmap.start, =09=09=09((fb_info->cmap.transp && fb_info->cmap.transp[i]) ? '*' : ' '), =09=09=09fb_info->cmap.red[i], fb_info->cmap.blue[i], =09=09=09fb_info->cmap.green[i]); =09} -=09return 4096; +=09return 16 * fb_info->cmap.len; } =20 static ssize_t store_blank(struct class_device *class_device, const char *= buf, ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261556AbVG1Tdu (ORCPT ); Thu, 28 Jul 2005 15:33:50 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261800AbVG1Tdf (ORCPT ); Thu, 28 Jul 2005 15:33:35 -0400 Received: from wproxy.gmail.com ([64.233.184.192]:37540 "EHLO wproxy.gmail.com") by vger.kernel.org with ESMTP id S261643AbVG1Tbr convert rfc822-to-8bit (ORCPT ); Thu, 28 Jul 2005 15:31:47 -0400 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lvg9tPeUw5maeBGF0t3IUI5JB4i/a54MSviOa4FVx83vpLFHOcztMZ6+FjV7cQ98d1lMwn4m2fKRxpUS0BJ9Tm48hgDIWFqhHtol0Dn8u4jU0qRbgMdZmR3mq2ir/Ki1gLRasgBGK1z5pv4TrZyL+TCGbcNOklRuTcSAqBocz/o= Message-ID: <9e473391050728123150931cbd@mail.gmail.com> Date: Thu, 28 Jul 2005 15:31:44 -0400 From: Jon Smirl Reply-To: Jon Smirl To: Geert Uytterhoeven Subject: Re: [PATCH] fbdev: colormap fixes Cc: Andrew Morton , Linus Torvalds , Linux Kernel Development , Linux Frame Buffer Device Development In-Reply-To: <9e473391050728074573e40038@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Content-Disposition: inline References: <200507280031.j6S0V3L3016861@hera.kernel.org> <9e473391050728074573e40038@mail.gmail.com> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Do we want to apply this patch now to get rid of the buffer overflow hole? Then we can take our time and work out a better solution. -- Jon Smirl jonsmirl@gmail.com Fix a buffer overflow vunerabilty in previous cmap patch signed-off-by: Jon Smirl diff --git a/drivers/video/fbsysfs.c b/drivers/video/fbsysfs.c --- a/drivers/video/fbsysfs.c +++ b/drivers/video/fbsysfs.c @@ -244,15 +244,15 @@ static ssize_t show_virtual(struct class /* Format for cmap is "%02x%c%4x%4x%4x\n" */ /* %02x entry %c transp %4x red %4x blue %4x green \n */ -/* 255 rows at 16 chars equals 4096 */ -/* PAGE_SIZE can be 4096 or larger */ +/* 256 rows at 16 chars equals 4096, the normal page size */ +/* the code will automatically adjust for different page sizes */ static ssize_t store_cmap(struct class_device *class_device, const char *buf, size_t count) { struct fb_info *fb_info = (struct fb_info *)class_get_devdata(class_device); int rc, i, start, length, transp = 0; - if ((count > 4096) || ((count % 16) != 0) || (PAGE_SIZE < 4096)) + if ((count > PAGE_SIZE) || ((count % 16) != 0)) return -EINVAL; if (!fb_info->fbops->fb_setcolreg && !fb_info->fbops->fb_setcmap) @@ -317,18 +317,18 @@ static ssize_t show_cmap(struct class_de !fb_info->cmap.green) return -EINVAL; - if (PAGE_SIZE < 4096) + if (fb_info->cmap.len > PAGE_SIZE / 16) return -EINVAL; /* don't mess with the format, the buffer is PAGE_SIZE */ - /* 255 entries at 16 chars per line equals 4096 = PAGE_SIZE */ + /* 256 entries at 16 chars per line equals 4096 = PAGE_SIZE */ for (i = 0; i < fb_info->cmap.len; i++) { - sprintf(&buf[ i * 16], "%02x%c%4x%4x%4x\n", i + fb_info->cmap.start, + snprintf(&buf[ i * 16], PAGE_SIZE - i * 16, "%02x%c%4x%4x%4x\n", i + fb_info->cmap.start, ((fb_info->cmap.transp && fb_info->cmap.transp[i]) ? '*' : ' '), fb_info->cmap.red[i], fb_info->cmap.blue[i], fb_info->cmap.green[i]); } - return 4096; + return 16 * fb_info->cmap.len; } static ssize_t store_blank(struct class_device *class_device, const char * buf,