From patchwork Wed Dec 11 18:32:13 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alan Cox X-Patchwork-Id: 3329361 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 5A3BB9F1F0 for ; Thu, 12 Dec 2013 00:32:41 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8D4D5207E3 for ; Thu, 12 Dec 2013 00:32:40 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 6179B207D3 for ; Thu, 12 Dec 2013 00:32:39 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 13A08FA83E; Wed, 11 Dec 2013 16:32:36 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org X-Greylist: delayed 396 seconds by postgrey-1.32 at gabe; Wed, 11 Dec 2013 10:38:39 PST Received: from alan.etchedpixels.co.uk (earthlight.etchedpixels.co.uk [81.2.110.250]) by gabe.freedesktop.org (Postfix) with ESMTP id E26EBF9DA8 for ; Wed, 11 Dec 2013 10:38:39 -0800 (PST) Received: from alan.etchedpixels.co.uk (localhost [127.0.0.1]) by alan.etchedpixels.co.uk (8.14.4/8.14.4/Debian-2.1ubuntu4) with ESMTP id rBBIWD0u008876 for ; Wed, 11 Dec 2013 18:32:14 GMT Subject: [PATCH] mkregtable: Fix sscanf handling To: dri-devel@lists.freedesktop.org From: Alan Date: Wed, 11 Dec 2013 18:32:13 +0000 Message-ID: <20131211183203.8851.45727.stgit@alan.etchedpixels.co.uk> User-Agent: StGit/0.15 MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 11 Dec 2013 16:32:24 -0800 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If you feed the tool a suitable bogus register map you can break it in arbitary (code executing) ways. While this isn't a particularly exciting or probable attack vector we still ought to fix it. One of a set of sscanf issues reported by Jackie Chang Signed-off-by: Alan Cox --- drivers/gpu/drm/radeon/mkregtable.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/radeon/mkregtable.c b/drivers/gpu/drm/radeon/mkregtable.c index af85299..4a85bb6 100644 --- a/drivers/gpu/drm/radeon/mkregtable.c +++ b/drivers/gpu/drm/radeon/mkregtable.c @@ -655,7 +655,7 @@ static int parser_auth(struct table *t, const char *filename) /* first line will contain the last register * and gpu name */ - sscanf(buf, "%s %s", gpu_name, last_reg_s); + sscanf(buf, "%9s %9s", gpu_name, last_reg_s); t->gpu_prefix = gpu_name; last_reg = strtol(last_reg_s, NULL, 16);