Commit cbea9238 authored by Jeremy Kerr's avatar Jeremy Kerr Committed by Paul Mackerras

[POWERPC] spufs: Don't leak kernel stack through an empty {i,m}box_info read

Based on an original patch from Arnd Bergmann
<arnd.bergmann@de.ibm.com>

If there's no entry in the mailbox, then a read on the _info file will
return data from an uninitialised variable.

This change returns EOF if there's no mailbox info available instead.
Signed-off-by: default avatarJeremy Kerr <jk@ozlabs.org>
Signed-off-by: default avatarPaul Mackerras <paulus@samba.org>
parent 18789fb1
...@@ -2026,13 +2026,13 @@ static const struct file_operations spufs_caps_fops = { ...@@ -2026,13 +2026,13 @@ static const struct file_operations spufs_caps_fops = {
static ssize_t __spufs_mbox_info_read(struct spu_context *ctx, static ssize_t __spufs_mbox_info_read(struct spu_context *ctx,
char __user *buf, size_t len, loff_t *pos) char __user *buf, size_t len, loff_t *pos)
{ {
u32 mbox_stat;
u32 data; u32 data;
mbox_stat = ctx->csa.prob.mb_stat_R; /* EOF if there's no entry in the mbox */
if (mbox_stat & 0x0000ff) { if (!(ctx->csa.prob.mb_stat_R & 0x0000ff))
data = ctx->csa.prob.pu_mb_R; return 0;
}
data = ctx->csa.prob.pu_mb_R;
return simple_read_from_buffer(buf, len, pos, &data, sizeof data); return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
} }
...@@ -2066,13 +2066,13 @@ static const struct file_operations spufs_mbox_info_fops = { ...@@ -2066,13 +2066,13 @@ static const struct file_operations spufs_mbox_info_fops = {
static ssize_t __spufs_ibox_info_read(struct spu_context *ctx, static ssize_t __spufs_ibox_info_read(struct spu_context *ctx,
char __user *buf, size_t len, loff_t *pos) char __user *buf, size_t len, loff_t *pos)
{ {
u32 ibox_stat;
u32 data; u32 data;
ibox_stat = ctx->csa.prob.mb_stat_R; /* EOF if there's no entry in the ibox */
if (ibox_stat & 0xff0000) { if (!(ctx->csa.prob.mb_stat_R & 0xff0000))
data = ctx->csa.priv2.puint_mb_R; return 0;
}
data = ctx->csa.priv2.puint_mb_R;
return simple_read_from_buffer(buf, len, pos, &data, sizeof data); return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment