From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alan Subject: [PATCH RESEND] mkregtable: Fix sscanf handling Date: Tue, 17 Dec 2013 15:05:39 +0000 Message-ID: <20131217150513.29430.48159.stgit@alan.etchedpixels.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from alan.etchedpixels.co.uk (earthlight.etchedpixels.co.uk [81.2.110.250]) by gabe.freedesktop.org (Postfix) with ESMTP id C6AA0FCB50 for ; Tue, 17 Dec 2013 07:05:40 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org To: trivial@kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org If you feed the tool a suitable bogus register map you can break it in arbitary (code executing) ways. While this isn't a particularly exciting or probable attack vector we still ought to fix it. One of a set of sscanf issues reported by Jackie Chang Signed-off-by: Alan Cox --- drivers/gpu/drm/radeon/mkregtable.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/radeon/mkregtable.c b/drivers/gpu/drm/radeon/mkregtable.c index af85299..4a85bb6 100644 --- a/drivers/gpu/drm/radeon/mkregtable.c +++ b/drivers/gpu/drm/radeon/mkregtable.c @@ -655,7 +655,7 @@ static int parser_auth(struct table *t, const char *filename) /* first line will contain the last register * and gpu name */ - sscanf(buf, "%s %s", gpu_name, last_reg_s); + sscanf(buf, "%9s %9s", gpu_name, last_reg_s); t->gpu_prefix = gpu_name; last_reg = strtol(last_reg_s, NULL, 16);