This is a note to let you know that I've just added the patch titled
si4713-i2c: avoid potential buffer overflow on si4713
to the 2.6.39-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
and it can be found in the queue-2.6.39 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 Mon Sep 17 00:00:00 2001
From: Mauro Carvalho Chehab <[email protected]>
Date: Sun, 17 Jul 2011 00:24:37 -0300
Subject: si4713-i2c: avoid potential buffer overflow on si4713
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Mauro Carvalho Chehab <[email protected]>
commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 upstream.
While compiling it with Fedora 15, I noticed this issue:
inlined from âsi4713_write_econtrol_stringâ at
drivers/media/radio/si4713-i2c.c:1065:24:
arch/x86/include/asm/uaccess_32.h:211:26: error: call to
âcopy_from_user_overflowâ declared with attribute error: copy_from_user()
buffer size is not provably correct
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Acked-by: Sakari Ailus <[email protected]>
Acked-by: Eduardo Valentin <[email protected]>
Reviewed-by: Eugene Teo <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/radio/si4713-i2c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/radio/si4713-i2c.c
+++ b/drivers/media/radio/si4713-i2c.c
@@ -1033,7 +1033,7 @@ static int si4713_write_econtrol_string(
char ps_name[MAX_RDS_PS_NAME + 1];
len = control->size - 1;
- if (len > MAX_RDS_PS_NAME) {
+ if (len < 0 || len > MAX_RDS_PS_NAME) {
rval = -ERANGE;
goto exit;
}
@@ -1057,7 +1057,7 @@ static int si4713_write_econtrol_string(
char radio_text[MAX_RDS_RADIO_TEXT + 1];
len = control->size - 1;
- if (len > MAX_RDS_RADIO_TEXT) {
+ if (len < 0 || len > MAX_RDS_RADIO_TEXT) {
rval = -ERANGE;
goto exit;
}
Patches currently in stable-queue which might be from [email protected] are
queue-2.6.39/tuner-core-fix-tuner_resume-use-t-mode-instead-of-t-type.patch
queue-2.6.39/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch
queue-2.6.39/tuner-core-fix-s_std-and-s_tuner.patch
queue-2.6.39/revert-v4l-dvb-cx23885-enable-message-signaled-interrupts-msi.patch
queue-2.6.39/pvrusb2-fix-g-s_tuner-support.patch
queue-2.6.39/bttv-fix-s_tuner-for-radio.patch
queue-2.6.39/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
