This is a note to let you know that I've just added the patch titled si4713-i2c: avoid potential buffer overflow on si4713
to the 2.6.39-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch and it can be found in the queue-2.6.39 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <sta...@kernel.org> know about it. >From dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab <mche...@redhat.com> Date: Sun, 17 Jul 2011 00:24:37 -0300 Subject: si4713-i2c: avoid potential buffer overflow on si4713 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Mauro Carvalho Chehab <mche...@redhat.com> commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 upstream. While compiling it with Fedora 15, I noticed this issue: inlined from âsi4713_write_econtrol_stringâ at drivers/media/radio/si4713-i2c.c:1065:24: arch/x86/include/asm/uaccess_32.h:211:26: error: call to âcopy_from_user_overflowâ declared with attribute error: copy_from_user() buffer size is not provably correct Signed-off-by: Mauro Carvalho Chehab <mche...@redhat.com> Acked-by: Sakari Ailus <sakari.ai...@maxwell.research.nokia.com> Acked-by: Eduardo Valentin <edubez...@gmail.com> Reviewed-by: Eugene Teo <eugene...@kernel.sg> Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gre...@suse.de> --- drivers/media/radio/si4713-i2c.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/media/radio/si4713-i2c.c +++ b/drivers/media/radio/si4713-i2c.c @@ -1033,7 +1033,7 @@ static int si4713_write_econtrol_string( char ps_name[MAX_RDS_PS_NAME + 1]; len = control->size - 1; - if (len > MAX_RDS_PS_NAME) { + if (len < 0 || len > MAX_RDS_PS_NAME) { rval = -ERANGE; goto exit; } @@ -1057,7 +1057,7 @@ static int si4713_write_econtrol_string( char radio_text[MAX_RDS_RADIO_TEXT + 1]; len = control->size - 1; - if (len > MAX_RDS_RADIO_TEXT) { + if (len < 0 || len > MAX_RDS_RADIO_TEXT) { rval = -ERANGE; goto exit; } Patches currently in stable-queue which might be from mche...@redhat.com are queue-2.6.39/tuner-core-fix-tuner_resume-use-t-mode-instead-of-t-type.patch queue-2.6.39/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch queue-2.6.39/tuner-core-fix-s_std-and-s_tuner.patch queue-2.6.39/revert-v4l-dvb-cx23885-enable-message-signaled-interrupts-msi.patch queue-2.6.39/pvrusb2-fix-g-s_tuner-support.patch queue-2.6.39/bttv-fix-s_tuner-for-radio.patch queue-2.6.39/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and.patch
_______________________________________________ stable mailing list stable@linux.kernel.org http://linux.kernel.org/mailman/listinfo/stable