Bug 11397 - possible buffer overflow on stack
Summary: possible buffer overflow on stack
Alias: None
Product: Drivers
Classification: Unclassified
Component: PCI (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_pci@kernel-bugs.osdl.org
Depends on:
Reported: 2008-08-21 16:00 UTC by Zvonimir Rakamaric
Modified: 2012-05-11 23:46 UTC (History)
4 users (show)

See Also:
Kernel Version: 2.6.26
Tree: Mainline
Regression: No


Description Zvonimir Rakamaric 2008-08-21 16:00:38 UTC
Problem Description:

The problem is actually pretty simple. Here is the piece of source code from applicom.c which I believe has a bug:

static int do_ac_read(int IndexCard, char __user *buf,
    struct st_ram_io *st_loc, struct mailbox *mailbox)
  unsigned char *to = (unsigned char *)&mailbox;
    int c;

    for (c = 0; c < sizeof(struct mailbox); c++)
      *(to++) = readb(from++);

I believe that the code should initialize the structure mailbox using readb.
However, it is actually writing over the pointer to mailbox because of this line:
  unsigned char *to = (unsigned char *)&mailbox;

I think this line should actually be:
  unsigned char *to = (unsigned char *)mailbox;

I found this bug using my own static checker for low-level systems software whose codename is Smack, which I am developing as a part of my PhD. For the sake of my research (and also I am currently in the process of writing a paper), I would greatly appreciate if you could confirm/dispute the bug.

-- Zvonimir
Comment 1 Jesse Barnes 2008-08-21 16:32:42 UTC
Certainly looks suspicious, adding David as he's listed as responsible for that driver.
Comment 2 David Woodhouse 2008-08-22 01:19:25 UTC
Certainly looks wrong. Mildly confused about how this ever worked (and I can't test it any more).
Comment 3 Zvonimir Rakamaric 2008-08-22 15:11:05 UTC
Thanks for a quick clarification!
Btw, if you'll ever take a closer look at this bug and maybe fix it, I just submitted another one you could also take a look at (Bug #11408) that is in the same file.

Note You need to log in before you can comment on or make changes to this bug.