This is a note to let you know that I've just added the patch titled si4713-i2c: avoid potential buffer overflow on si4713
to the 2.6.32-longterm tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.32.git;a=summary The filename of the patch is: si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch and it can be found in the queue-2.6.32 subdirectory. If you, or anyone else, feels it should not be added to the 2.6.32 longterm tree, please let <sta...@kernel.org> know about it. >From dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab <mche...@redhat.com> Date: Sun, 17 Jul 2011 00:24:37 -0300 Subject: si4713-i2c: avoid potential buffer overflow on si4713 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Mauro Carvalho Chehab <mche...@redhat.com> commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 upstream. While compiling it with Fedora 15, I noticed this issue: inlined from âsi4713_write_econtrol_stringâ at drivers/media/radio/si4713-i2c.c:1065:24: arch/x86/include/asm/uaccess_32.h:211:26: error: call to âcopy_from_user_overflowâ declared with attribute error: copy_from_user() buffer size is not provably correct Signed-off-by: Mauro Carvalho Chehab <mche...@redhat.com> Acked-by: Sakari Ailus <sakari.ai...@maxwell.research.nokia.com> Acked-by: Eduardo Valentin <edubez...@gmail.com> Reviewed-by: Eugene Teo <eugene...@kernel.sg> Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gre...@suse.de> --- drivers/media/radio/si4713-i2c.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/media/radio/si4713-i2c.c +++ b/drivers/media/radio/si4713-i2c.c @@ -1003,7 +1003,7 @@ static int si4713_write_econtrol_string( char ps_name[MAX_RDS_PS_NAME + 1]; len = control->size - 1; - if (len > MAX_RDS_PS_NAME) { + if (len < 0 || len > MAX_RDS_PS_NAME) { rval = -ERANGE; goto exit; } @@ -1025,7 +1025,7 @@ static int si4713_write_econtrol_string( char radio_text[MAX_RDS_RADIO_TEXT + 1]; len = control->size - 1; - if (len > MAX_RDS_RADIO_TEXT) { + if (len < 0 || len > MAX_RDS_RADIO_TEXT) { rval = -ERANGE; goto exit; } Patches currently in longterm-queue-2.6.32 which might be from mche...@redhat.com are /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/pvrusb2-fix-g-s_tuner-support.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/bttv-fix-s_tuner-for-radio.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and.patch
_______________________________________________ stable mailing list stable@linux.kernel.org http://linux.kernel.org/mailman/listinfo/stable