1
linux/drivers
Steven Rostedt 4448008eb1 isdn: icn: Fix stack corruption bug.
Running randconfig with ktest.pl I hit this bug:

[   16.101158] ICN-ISDN-driver Rev 1.65.6.8 mem=0x000d0000
[   16.106376] icn: (line0) ICN-2B, port 0x320 added
[   16.111064] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c1642880
[   16.111066] 
[   16.121214] Pid: 1, comm: swapper Not tainted 2.6.37-rc2-test-00124-g6656b3f #8
[   16.128499] Call Trace:
[   16.130942]  [<c0f51662>] ? printk+0x1d/0x23
[   16.135200]  [<c0f5153f>] panic+0x5c/0x162
[   16.139286]  [<c0d62a9a>] ? icn_addcard+0x6d/0xbe
[   16.143975]  [<c0445783>] print_tainted+0x0/0x8c
[   16.148582]  [<c1642880>] ? icn_init+0xd8/0xdf
[   16.153012]  [<c1642880>] icn_init+0xd8/0xdf
[   16.157271]  [<c04012e5>] do_one_initcall+0x8c/0x143
[   16.162222]  [<c16427a8>] ? icn_init+0x0/0xdf
[   16.166566]  [<c15f1a05>] kernel_init+0x13f/0x1da
[   16.171256]  [<c15f18c6>] ? kernel_init+0x0/0x1da
[   16.175945]  [<c0403bfe>] kernel_thread_helper+0x6/0x10
[   16.181181] panic occurred, switching back to text console

Looking into it I found that the stack was corrupted by the assignment
of the Rev #. The variable rev is given 10 bytes, and in this output the
characters that were copied was: " 1.65.6.8 $". Which was 11 characters
plus the null ending character for a total of 12 bytes, thus corrupting
the stack.

This patch ups the variable size to 20 bytes as well as changes the
strcpy to strncpy. I also added a check to make sure '$' is found.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-24 11:19:05 -08:00
..
accessibility
acpi
amba
ata drivers/ata/pata_octeon_cf.c: delete double assignment 2010-11-12 17:10:55 -05:00
atm solos: Refuse to upgrade firmware with older FPGA. It doesn't work. 2010-11-08 12:17:05 -08:00
auxdisplay
base Merge branch 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6 2010-10-29 15:09:56 -07:00
block Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block 2010-11-12 08:52:47 -08:00
bluetooth Bluetooth: Add MacBookAir3,1(2) support 2010-11-09 01:08:53 -02:00
cdrom
char Merge branch 'tty-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6 2010-11-12 16:02:30 -08:00
clocksource ARM: shmobile: remove sh_timer_config clk member 2010-10-31 10:40:39 -04:00
connector
cpufreq
cpuidle
crypto
dca
dio
dma drivers/dma/Kconfig: add part number for Topcliff. 2010-10-29 14:14:02 -07:00
edac
eisa
firewire Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2010-11-05 14:17:22 -07:00
firmware
gpio gpio: Add VIA VX855 GPIO driver 2010-10-29 00:29:51 +02:00
gpu drm/ttm: Be consistent on ttm_bo_init() failures 2010-11-10 11:52:19 +10:00
hid
hwmon hwmon: (gpio-fan) Fix fan_ctrl_init error path 2010-11-11 09:43:51 -08:00
i2c i2c-i801: Add PCI idents for Patsburg 'IDF' SMBus controllers 2010-10-31 21:07:00 +01:00
ide
idle
ieee802154
infiniband convert get_sb_single() users 2010-10-29 04:16:28 -04:00
input Input: do not pass injected events back to the originating handler 2010-11-11 01:01:26 -08:00
isdn isdn: icn: Fix stack corruption bug. 2010-11-24 11:19:05 -08:00
leds drivers/leds/leds-gpio.c: properly initialize return value 2010-11-12 07:55:32 -08:00
lguest
macintosh drivers/macintosh/adb-iop.c: flags should be unsigned long 2010-11-12 07:55:30 -08:00
mca
md block: read i_size with i_size_read() 2010-11-10 14:40:53 +01:00
media Input: ir-keytable - fix uninitialized variable warning 2010-10-31 21:05:43 -04:00
memstick
message
mfd mfd: Fix a memory leak when unload mc13xxx-core module 2010-10-29 00:30:43 +02:00
misc drivers/misc/bh1770glc.c: error handling in bh1770_power_state_store() 2010-11-12 07:55:31 -08:00
mmc mfd: Adding twl6030 mmc card detect support for MMC1 2010-10-29 00:29:59 +02:00
mtd Merge git://git.infradead.org/mtd-2.6 2010-10-30 08:31:35 -07:00
net Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2010-11-24 09:16:14 -08:00
nubus
of
oprofile Merge branches 'perf-fixes-for-linus' and 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2010-10-30 11:43:26 -07:00
parisc
parport
pci xen-pcifront: fix PCI reference leak 2010-11-08 11:41:15 -05:00
pcmcia
platform
pnp
power power: Revert "power_supply: Mark twl4030_charger as broken" 2010-10-29 00:30:44 +02:00
pps
ps3
rapidio rapidio: use resource_size() 2010-11-12 07:55:30 -08:00
regulator regulator: max8998 BUCK1/2 voltage change with use of GPIOs 2010-10-29 00:30:15 +02:00
rtc sh: mach-snapgear: Kill off machtype, consolidate board def. 2010-10-29 19:06:53 +09:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-11-12 17:17:55 -08:00
sbus
scsi block: remove REQ_HARDBARRIER 2010-11-10 14:54:09 +01:00
serial Merge branch 'tty-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6 2010-11-12 16:02:30 -08:00
sfi
sh Merge branches 'sh/pio-death', 'sh/nommu', 'sh/clkfwk', 'sh/core' and 'sh/intc-extension' into sh-fixes-for-linus 2010-11-08 09:42:43 +09:00
sn
spi Merge branch 'next-spi' of git://git.secretlab.ca/git/linux-2.6 2010-11-01 07:50:43 -04:00
ssb ssb: b43-pci-bridge: Add new vendor for BCM4318 2010-11-22 15:19:31 -05:00
staging Staging: Merge 'tidspbridge-2.6.37-rc1' into staging-linus 2010-11-11 05:14:54 -08:00
tc
telephony
thermal
tty n_gsm: Fix length handling 2010-11-11 11:06:09 -08:00
uio
usb Merge branch 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6 2010-11-12 17:13:28 -08:00
uwb UWB: Return UWB_RSV_ALLOC_NOT_FOUND rather than crashing on NULL dereference if kzalloc fails 2010-11-11 07:14:07 -08:00
vhost
video backlight: MacBookAir3,1(3,2) mbp-nvidia-bl support 2010-11-12 07:55:33 -08:00
virtio
vlynq
w1
watchdog WATCHDOG: octeon-wdt: Use I/O clock rate for timing calculations. 2010-10-29 19:08:42 +01:00
xen Merge branch 'upstream/core' of git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen 2010-11-12 16:01:55 -08:00
zorro
Kconfig
Makefile TTY: create drivers/tty and move the tty core files there 2010-11-05 08:10:33 -07:00