Bug 11397
| Summary: | possible buffer overflow on stack | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | Zvonimir Rakamaric (zrakamar) |
| Component: | PCI | Assignee: | drivers_pci (drivers_pci) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | alan, dwmw2, eugeneteo, zrakamar |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.26 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
Certainly looks suspicious, adding David as he's listed as responsible for that driver. Certainly looks wrong. Mildly confused about how this ever worked (and I can't test it any more). Thanks for a quick clarification! Btw, if you'll ever take a closer look at this bug and maybe fix it, I just submitted another one you could also take a look at (Bug #11408) that is in the same file. |
Problem Description: The problem is actually pretty simple. Here is the piece of source code from applicom.c which I believe has a bug: static int do_ac_read(int IndexCard, char __user *buf, struct st_ram_io *st_loc, struct mailbox *mailbox) { ..... unsigned char *to = (unsigned char *)&mailbox; ..... { int c; for (c = 0; c < sizeof(struct mailbox); c++) *(to++) = readb(from++); } I believe that the code should initialize the structure mailbox using readb. However, it is actually writing over the pointer to mailbox because of this line: unsigned char *to = (unsigned char *)&mailbox; I think this line should actually be: unsigned char *to = (unsigned char *)mailbox; I found this bug using my own static checker for low-level systems software whose codename is Smack, which I am developing as a part of my PhD. For the sake of my research (and also I am currently in the process of writing a paper), I would greatly appreciate if you could confirm/dispute the bug. Thanks! -- Zvonimir