aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteven Rostedt <rostedt@goodmis.org>2010-11-24 14:19:05 -0500
committerDavid S. Miller <davem@davemloft.net>2010-11-24 14:19:05 -0500
commit4448008eb12f4b6bb9993584de8ec1d20b708d6f (patch)
treed1fc6df2841da3803313817160df3044cac9d43e
parent66fc5dff5e4f82c92723202a5de9bdec16a9331f (diff)
isdn: icn: Fix stack corruption bug.
Running randconfig with ktest.pl I hit this bug: [ 16.101158] ICN-ISDN-driver Rev 1.65.6.8 mem=0x000d0000 [ 16.106376] icn: (line0) ICN-2B, port 0x320 added [ 16.111064] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c1642880 [ 16.111066] [ 16.121214] Pid: 1, comm: swapper Not tainted 2.6.37-rc2-test-00124-g6656b3f #8 [ 16.128499] Call Trace: [ 16.130942] [<c0f51662>] ? printk+0x1d/0x23 [ 16.135200] [<c0f5153f>] panic+0x5c/0x162 [ 16.139286] [<c0d62a9a>] ? icn_addcard+0x6d/0xbe [ 16.143975] [<c0445783>] print_tainted+0x0/0x8c [ 16.148582] [<c1642880>] ? icn_init+0xd8/0xdf [ 16.153012] [<c1642880>] icn_init+0xd8/0xdf [ 16.157271] [<c04012e5>] do_one_initcall+0x8c/0x143 [ 16.162222] [<c16427a8>] ? icn_init+0x0/0xdf [ 16.166566] [<c15f1a05>] kernel_init+0x13f/0x1da [ 16.171256] [<c15f18c6>] ? kernel_init+0x0/0x1da [ 16.175945] [<c0403bfe>] kernel_thread_helper+0x6/0x10 [ 16.181181] panic occurred, switching back to text console Looking into it I found that the stack was corrupted by the assignment of the Rev #. The variable rev is given 10 bytes, and in this output the characters that were copied was: " 1.65.6.8 $". Which was 11 characters plus the null ending character for a total of 12 bytes, thus corrupting the stack. This patch ups the variable size to 20 bytes as well as changes the strcpy to strncpy. I also added a check to make sure '$' is found. Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/isdn/icn/icn.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c
index 2e847a90bad0..f2b5bab5e6a1 100644
--- a/drivers/isdn/icn/icn.c
+++ b/drivers/isdn/icn/icn.c
@@ -1627,7 +1627,7 @@ __setup("icn=", icn_setup);
1627static int __init icn_init(void) 1627static int __init icn_init(void)
1628{ 1628{
1629 char *p; 1629 char *p;
1630 char rev[10]; 1630 char rev[20];
1631 1631
1632 memset(&dev, 0, sizeof(icn_dev)); 1632 memset(&dev, 0, sizeof(icn_dev));
1633 dev.memaddr = (membase & 0x0ffc000); 1633 dev.memaddr = (membase & 0x0ffc000);
@@ -1637,9 +1637,10 @@ static int __init icn_init(void)
1637 spin_lock_init(&dev.devlock); 1637 spin_lock_init(&dev.devlock);
1638 1638
1639 if ((p = strchr(revision, ':'))) { 1639 if ((p = strchr(revision, ':'))) {
1640 strcpy(rev, p + 1); 1640 strncpy(rev, p + 1, 20);
1641 p = strchr(rev, '$'); 1641 p = strchr(rev, '$');
1642 *p = 0; 1642 if (p)
1643 *p = 0;
1643 } else 1644 } else
1644 strcpy(rev, " ??? "); 1645 strcpy(rev, " ??? ");
1645 printk(KERN_NOTICE "ICN-ISDN-driver Rev%smem=0x%08lx\n", rev, 1646 printk(KERN_NOTICE "ICN-ISDN-driver Rev%smem=0x%08lx\n", rev,