[PATCH] sym53c416: Fix nasty memory corruption

From: Ondrej Zary
Date: Mon Mar 09 2015 - 18:37:09 EST

Next message: Stephen Boyd: "Re: [PATCH 0/3] clk: divider: three exactness fixes (and a rant)"
Previous message: Mike Turquette: "Re: [PATCH v2 4/6] clk: at91: implement suspend/resume for the PMC irqchip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In sym53c416_read(), the chip can (and does sometimes) return more bytes in
the FIFO than we want to read. This causes buffer overflow, resulting in nasty
memory and data corruption and oopses. I couldn't even read filesystem's root
directory properly (and a simple dd with 1M blocksize crashed the system)
without this patch.

Add a check to make sure we never read more bytes than required.
sym53c416_write() already contains similar check.

Signed-off-by: Ondrej Zary <linux@xxxxxxxxxxxxxxxxxxxx>
---
drivers/scsi/sym53c416.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/sym53c416.c b/drivers/scsi/sym53c416.c
index 0b7819f..76e9715 100644
--- a/drivers/scsi/sym53c416.c
+++ b/drivers/scsi/sym53c416.c
@@ -253,6 +253,8 @@ static __inline__ unsigned int sym53c416_read(int base, unsigned char *buffer, u
while(len && timeout)
{
bytes_left = inb(base + PIO_FIFO_CNT); /* Number of bytes in the PIO FIFO */
+ if (bytes_left > len)
+ bytes_left = len;
if(fastpio && bytes_left > 3)
{
insl(base + PIO_FIFO_1, buffer, bytes_left >> 2);
--
Ondrej Zary

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Boyd: "Re: [PATCH 0/3] clk: divider: three exactness fixes (and a rant)"
Previous message: Mike Turquette: "Re: [PATCH v2 4/6] clk: at91: implement suspend/resume for the PMC irqchip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]