www.infradead.org Git - users/willy/linux.git/commit

author	Andi Kleen <ak@linux.intel.com>
	Wed, 5 Dec 2018 00:14:27 +0000 (11:14 +1100)
committer	Stephen Rothwell <sfr@canb.auug.org.au>
	Mon, 10 Dec 2018 08:29:19 +0000 (19:29 +1100)
commit	f1388414a36de094c8291034bad4f1a882bd47ce
tree	65c5d246e96e3e645942f1a35a74b273aefd74cf	tree
parent	df836a7354379a88792b8739dd42303966878ce8	commit \| diff

drivers/media/platform/sti/delta/delta-ipc.c: fix read buffer overflow

The single caller passes a string to delta_ipc_open, which copies with a
fixed size larger than the string.  So it copies some random data after
the original string the ro segment.

If the string was at the end of a page it may fault.

Just copy the string with a normal strcpy after clearing the field.

Found by a LTO build (which errors out)
because the compiler inlines the functions and can resolve
the string sizes and triggers the compile time checks in memcpy.

In function `memcpy',
    inlined from `delta_ipc_open.constprop' at linux/drivers/media/platform/sti/delta/delta-ipc.c:178:0,
    inlined from `delta_mjpeg_ipc_open' at linux/drivers/media/platform/sti/delta/delta-mjpeg-dec.c:227:0,
    inlined from `delta_mjpeg_decode' at linux/drivers/media/platform/sti/delta/delta-mjpeg-dec.c:403:0:
/home/andi/lsrc/linux/include/linux/string.h:337:0: error: call to `__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
    __read_overflow2();

Link: http://lkml.kernel.org/r/20171222001212.1850-1-andi@firstfloor.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Hugues FRUCHET <hugues.fruchet@st.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>