* Patch "spi: spidev_test: Fix buffer overflow in unescape()" has been added to the 4.7-stable tree
@ 2016-10-25 18:57 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-10-25 18:57 UTC (permalink / raw)
To: geert+renesas, broonie, gregkh; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
spi: spidev_test: Fix buffer overflow in unescape()
to the 4.7-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
spi-spidev_test-fix-buffer-overflow-in-unescape.patch
and it can be found in the queue-4.7 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 0278b34bf15f8d8a609595b15909cd8622dd64ca Mon Sep 17 00:00:00 2001
From: Geert Uytterhoeven <geert+renesas@glider.be>
Date: Fri, 9 Sep 2016 09:02:51 +0200
Subject: spi: spidev_test: Fix buffer overflow in unescape()
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit 0278b34bf15f8d8a609595b15909cd8622dd64ca upstream.
Sometimes spidev_test crashes with:
*** Error in `spidev_test': munmap_chunk(): invalid pointer: 0x00022020 ***
Aborted
or just
Segmentation fault
This is due to transfer_escaped_string() miscalculating the required
size of the buffer by one byte, causing a buffer overflow in unescape().
Drop the bogus "+ 1" in the strlen() parameter to fix this.
Note that unescape() never copies the zero-terminator of the source
string, so it writes at most as many bytes as the length of the source
string.
Fixes: 30061915be6e3a2c (spi: spidev_test: Added input buffer from the terminal)
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/spi/spidev_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/spi/spidev_test.c
+++ b/tools/spi/spidev_test.c
@@ -284,7 +284,7 @@ static void parse_opts(int argc, char *a
static void transfer_escaped_string(int fd, char *str)
{
- size_t size = strlen(str + 1);
+ size_t size = strlen(str);
uint8_t *tx;
uint8_t *rx;
Patches currently in stable-queue which might be from geert+renesas@glider.be are
queue-4.7/spi-spidev_test-fix-buffer-overflow-in-unescape.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-10-25 18:58 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-25 18:57 Patch "spi: spidev_test: Fix buffer overflow in unescape()" has been added to the 4.7-stable tree gregkh
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).