From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <driverdev-devel-bounces@linuxdriverproject.org>
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by ash.osuosl.org (Postfix) with ESMTP id 5E7211BFED7
 for <driverdev-devel@linuxdriverproject.org>;
 Tue, 16 Jun 2015 13:14:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by silver.osuosl.org (Postfix) with ESMTP id 5A32833274
 for <driverdev-devel@linuxdriverproject.org>;
 Tue, 16 Jun 2015 13:14:31 +0000 (UTC)
Received: from silver.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id E81o0bpQ2sxr
 for <driverdev-devel@linuxdriverproject.org>;
 Tue, 16 Jun 2015 13:14:29 +0000 (UTC)
Received: from mail1.bemta7.messagelabs.com (mail1.bemta7.messagelabs.com
 [216.82.254.104])
 by silver.osuosl.org (Postfix) with ESMTPS id D66E82641B
 for <driverdev-devel@linuxdriverproject.org>;
 Tue, 16 Jun 2015 13:14:28 +0000 (UTC)
From: Benjamin Romer <benjamin.romer@unisys.com>
Subject: [PATCH] staging: unisys: visorchannel_write() fix potential memory
 corruption
Date: Tue, 16 Jun 2015 09:13:33 -0400
Message-ID: <1434460413-8653-1-git-send-email-benjamin.romer@unisys.com>
MIME-Version: 1.0
List-Id: Linux Driver Project Developer List
 <driverdev-devel.linuxdriverproject.org>
List-Unsubscribe: <http://driverdev.linuxdriverproject.org/mailman/options/driverdev-devel>,
 <mailto:driverdev-devel-request@linuxdriverproject.org?subject=unsubscribe>
List-Archive: <http://driverdev.linuxdriverproject.org/pipermail/driverdev-devel/>
List-Post: <mailto:driverdev-devel@linuxdriverproject.org>
List-Help: <mailto:driverdev-devel-request@linuxdriverproject.org?subject=help>
List-Subscribe: <http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel>,
 <mailto:driverdev-devel-request@linuxdriverproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: driverdev-devel-bounces@linuxdriverproject.org
Sender: "devel" <driverdev-devel-bounces@linuxdriverproject.org>
To: gregkh@linuxfoundation.org
Cc: Jes.Sorensen@redhat.com, sparmaintainer@unisys.com, driverdev-devel@linuxdriverproject.org, Benjamin Romer <benjamin.romer@unisys.com>

From: Jes Sorensen <Jes.Sorensen@redhat.com>

This fixes the memory corruption case, if nbytes is less than offset
and sizeof(struct channel_header)

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Benjamin Romer <benjamin.romer@unisys.com>
---
 drivers/staging/unisys/visorbus/visorchannel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c
index b1155ab..20b6349 100644
--- a/drivers/staging/unisys/visorbus/visorchannel.c
+++ b/drivers/staging/unisys/visorbus/visorchannel.c
@@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset,
 		return -EIO;
 
 	if (offset < chdr_size) {
-		copy_size = min(chdr_size, nbytes) - offset;
+		copy_size = min(chdr_size - offset, nbytes);
 		memcpy(&channel->chan_hdr + offset, local, copy_size);
 	}
 
-- 
2.1.4

_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel