Problem Description: The problem is actually pretty simple. Here is the piece of source code from applicom.c which I believe has a bug: static int do_ac_read(int IndexCard, char __user *buf, struct st_ram_io *st_loc, struct mailbox *mailbox) { ..... unsigned char *to = (unsigned char *)&mailbox; ..... { int c; for (c = 0; c < sizeof(struct mailbox); c++) *(to++) = readb(from++); } I believe that the code should initialize the structure mailbox using readb. However, it is actually writing over the pointer to mailbox because of this line: unsigned char *to = (unsigned char *)&mailbox; I think this line should actually be: unsigned char *to = (unsigned char *)mailbox; I found this bug using my own static checker for low-level systems software whose codename is Smack, which I am developing as a part of my PhD. For the sake of my research (and also I am currently in the process of writing a paper), I would greatly appreciate if you could confirm/dispute the bug. Thanks! -- Zvonimir
Certainly looks suspicious, adding David as he's listed as responsible for that driver.
Certainly looks wrong. Mildly confused about how this ever worked (and I can't test it any more).
Thanks for a quick clarification! Btw, if you'll ever take a closer look at this bug and maybe fix it, I just submitted another one you could also take a look at (Bug #11408) that is in the same file.