* BUG in av7110_vbi_write()
@ 2009-05-13 21:53 e9hack
2009-05-14 11:44 ` Oliver Endriss
0 siblings, 1 reply; 3+ messages in thread
From: e9hack @ 2009-05-13 21:53 UTC (permalink / raw)
To: linux-media; +Cc: Oliver Endriss
Hi,
it seems there is a bug in av7110_vbi_write() (av7110_v4l.c). If an user mode application
tries to write more bytes than the size of the structure v4l2_slices_vbi_data,
copy_from_user() will overwrite parts of the kernel stack.
Regards,
Hartmut
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: BUG in av7110_vbi_write()
2009-05-13 21:53 BUG in av7110_vbi_write() e9hack
@ 2009-05-14 11:44 ` Oliver Endriss
2009-05-14 22:56 ` e9hack
0 siblings, 1 reply; 3+ messages in thread
From: Oliver Endriss @ 2009-05-14 11:44 UTC (permalink / raw)
To: e9hack; +Cc: linux-media
e9hack wrote:
> Hi,
>
> it seems there is a bug in av7110_vbi_write() (av7110_v4l.c). If an user mode application
> tries to write more bytes than the size of the structure v4l2_slices_vbi_data,
> copy_from_user() will overwrite parts of the kernel stack.
No, it cannot happen:
| if (FW_VERSION(av7110->arm_app) < 0x2623 || !av7110->wssMode || count != sizeof d)
| return -EINVAL;
| if (copy_from_user(&d, data, count))
| return -EFAULT;
copy_from_user() will only be called if count == sizeof d.
CU
Oliver
--
----------------------------------------------------------------
VDR Remote Plugin 0.4.0: http://www.escape-edv.de/endriss/vdr/
----------------------------------------------------------------
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-05-14 22:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-05-13 21:53 BUG in av7110_vbi_write() e9hack
2009-05-14 11:44 ` Oliver Endriss
2009-05-14 22:56 ` e9hack
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox