From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:35523 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932932AbcJYS6V (ORCPT ); Tue, 25 Oct 2016 14:58:21 -0400 Subject: Patch "spi: spidev_test: Fix buffer overflow in unescape()" has been added to the 4.7-stable tree To: geert+renesas@glider.be, broonie@kernel.org, gregkh@linuxfoundation.org Cc: , From: Date: Tue, 25 Oct 2016 20:57:45 +0200 Message-ID: <147742186591145@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled spi: spidev_test: Fix buffer overflow in unescape() to the 4.7-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: spi-spidev_test-fix-buffer-overflow-in-unescape.patch and it can be found in the queue-4.7 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 0278b34bf15f8d8a609595b15909cd8622dd64ca Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Fri, 9 Sep 2016 09:02:51 +0200 Subject: spi: spidev_test: Fix buffer overflow in unescape() From: Geert Uytterhoeven commit 0278b34bf15f8d8a609595b15909cd8622dd64ca upstream. Sometimes spidev_test crashes with: *** Error in `spidev_test': munmap_chunk(): invalid pointer: 0x00022020 *** Aborted or just Segmentation fault This is due to transfer_escaped_string() miscalculating the required size of the buffer by one byte, causing a buffer overflow in unescape(). Drop the bogus "+ 1" in the strlen() parameter to fix this. Note that unescape() never copies the zero-terminator of the source string, so it writes at most as many bytes as the length of the source string. Fixes: 30061915be6e3a2c (spi: spidev_test: Added input buffer from the terminal) Signed-off-by: Geert Uytterhoeven Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman --- tools/spi/spidev_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/spi/spidev_test.c +++ b/tools/spi/spidev_test.c @@ -284,7 +284,7 @@ static void parse_opts(int argc, char *a static void transfer_escaped_string(int fd, char *str) { - size_t size = strlen(str + 1); + size_t size = strlen(str); uint8_t *tx; uint8_t *rx; Patches currently in stable-queue which might be from geert+renesas@glider.be are queue-4.7/spi-spidev_test-fix-buffer-overflow-in-unescape.patch