From patchwork Tue Dec 17 15:05:39 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alan Cox X-Patchwork-Id: 3364041 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 61831C0D4A for ; Tue, 17 Dec 2013 18:38:21 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 645C1203B4 for ; Tue, 17 Dec 2013 18:38:20 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id 62327203B0 for ; Tue, 17 Dec 2013 18:38:18 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id EAC5DFCB13; Tue, 17 Dec 2013 10:38:13 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from alan.etchedpixels.co.uk (earthlight.etchedpixels.co.uk [81.2.110.250]) by gabe.freedesktop.org (Postfix) with ESMTP id C6AA0FCB50 for ; Tue, 17 Dec 2013 07:05:40 -0800 (PST) Received: from alan.etchedpixels.co.uk (localhost [127.0.0.1]) by alan.etchedpixels.co.uk (8.14.4/8.14.4/Debian-2.1ubuntu4) with ESMTP id rBHF5dej029458; Tue, 17 Dec 2013 15:05:40 GMT Subject: [PATCH RESEND] mkregtable: Fix sscanf handling To: trivial@kernel.org, dri-devel@lists.freedesktop.org From: Alan Date: Tue, 17 Dec 2013 15:05:39 +0000 Message-ID: <20131217150513.29430.48159.stgit@alan.etchedpixels.co.uk> User-Agent: StGit/0.15 MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 17 Dec 2013 10:38:11 -0800 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces@lists.freedesktop.org Errors-To: dri-devel-bounces@lists.freedesktop.org X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If you feed the tool a suitable bogus register map you can break it in arbitary (code executing) ways. While this isn't a particularly exciting or probable attack vector we still ought to fix it. One of a set of sscanf issues reported by Jackie Chang Signed-off-by: Alan Cox --- drivers/gpu/drm/radeon/mkregtable.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/radeon/mkregtable.c b/drivers/gpu/drm/radeon/mkregtable.c index af85299..4a85bb6 100644 --- a/drivers/gpu/drm/radeon/mkregtable.c +++ b/drivers/gpu/drm/radeon/mkregtable.c @@ -655,7 +655,7 @@ static int parser_auth(struct table *t, const char *filename) /* first line will contain the last register * and gpu name */ - sscanf(buf, "%s %s", gpu_name, last_reg_s); + sscanf(buf, "%9s %9s", gpu_name, last_reg_s); t->gpu_prefix = gpu_name; last_reg = strtol(last_reg_s, NULL, 16);