• Andi Kleen's avatar
    drivers/media/platform/sti/delta/delta-ipc.c: fix read buffer overflow · ed0d8dc1
    Andi Kleen authored
    The single caller passes a string to delta_ipc_open, which copies with a
    fixed size larger than the string.  So it copies some random data after
    the original string the ro segment.
    
    If the string was at the end of a page it may fault.
    
    Just copy the string with a normal strcpy after clearing the field.
    
    Found by a LTO build (which errors out)
    because the compiler inlines the functions and can resolve
    the string sizes and triggers the compile time checks in memcpy.
    
    In function `memcpy',
        inlined from `delta_ipc_open.constprop' at linux/drivers/media/platform/sti/delta/delta-ipc.c:178:0,
        inlined from `delta_mjpeg_ipc_open' at linux/drivers/media/platform/sti/delta/delta-mjpeg-dec.c:227:0,
        inlined from `delta_mjpeg_decode' at linux/drivers/media/platform/sti/delta/delta-mjpeg-dec.c:403:0:
    /home/andi/lsrc/linux/include/linux/string.h:337:0: error: call to `__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
        __read_overflow2();
    
    Link: http://lkml.kernel.org/r/20171222001212.1850-1-andi@firstfloor.orgSigned-off-by: default avatarAndi Kleen <ak@linux.intel.com>
    Cc: Hugues FRUCHET <hugues.fruchet@st.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
    ed0d8dc1
delta-ipc.c 14.6 KB