Commit 4448008e authored by Steven Rostedt's avatar Steven Rostedt Committed by David S. Miller

isdn: icn: Fix stack corruption bug.

Running randconfig with ktest.pl I hit this bug:

[   16.101158] ICN-ISDN-driver Rev 1.65.6.8 mem=0x000d0000
[   16.106376] icn: (line0) ICN-2B, port 0x320 added
[   16.111064] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c1642880
[   16.111066] 
[   16.121214] Pid: 1, comm: swapper Not tainted 2.6.37-rc2-test-00124-g6656b3fc #8
[   16.128499] Call Trace:
[   16.130942]  [<c0f51662>] ? printk+0x1d/0x23
[   16.135200]  [<c0f5153f>] panic+0x5c/0x162
[   16.139286]  [<c0d62a9a>] ? icn_addcard+0x6d/0xbe
[   16.143975]  [<c0445783>] print_tainted+0x0/0x8c
[   16.148582]  [<c1642880>] ? icn_init+0xd8/0xdf
[   16.153012]  [<c1642880>] icn_init+0xd8/0xdf
[   16.157271]  [<c04012e5>] do_one_initcall+0x8c/0x143
[   16.162222]  [<c16427a8>] ? icn_init+0x0/0xdf
[   16.166566]  [<c15f1a05>] kernel_init+0x13f/0x1da
[   16.171256]  [<c15f18c6>] ? kernel_init+0x0/0x1da
[   16.175945]  [<c0403bfe>] kernel_thread_helper+0x6/0x10
[   16.181181] panic occurred, switching back to text console

Looking into it I found that the stack was corrupted by the assignment
of the Rev #. The variable rev is given 10 bytes, and in this output the
characters that were copied was: " 1.65.6.8 $". Which was 11 characters
plus the null ending character for a total of 12 bytes, thus corrupting
the stack.

This patch ups the variable size to 20 bytes as well as changes the
strcpy to strncpy. I also added a check to make sure '$' is found.
Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 66fc5dff
...@@ -1627,7 +1627,7 @@ __setup("icn=", icn_setup); ...@@ -1627,7 +1627,7 @@ __setup("icn=", icn_setup);
static int __init icn_init(void) static int __init icn_init(void)
{ {
char *p; char *p;
char rev[10]; char rev[20];
memset(&dev, 0, sizeof(icn_dev)); memset(&dev, 0, sizeof(icn_dev));
dev.memaddr = (membase & 0x0ffc000); dev.memaddr = (membase & 0x0ffc000);
...@@ -1637,9 +1637,10 @@ static int __init icn_init(void) ...@@ -1637,9 +1637,10 @@ static int __init icn_init(void)
spin_lock_init(&dev.devlock); spin_lock_init(&dev.devlock);
if ((p = strchr(revision, ':'))) { if ((p = strchr(revision, ':'))) {
strcpy(rev, p + 1); strncpy(rev, p + 1, 20);
p = strchr(rev, '$'); p = strchr(rev, '$');
*p = 0; if (p)
*p = 0;
} else } else
strcpy(rev, " ??? "); strcpy(rev, " ??? ");
printk(KERN_NOTICE "ICN-ISDN-driver Rev%smem=0x%08lx\n", rev, printk(KERN_NOTICE "ICN-ISDN-driver Rev%smem=0x%08lx\n", rev,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment