21cf734c79
As pointed by KASAN: BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880000038d8c Read of size 128 by task systemd-udevd/2536 page:ffffea0000000800 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0xffff8000004000(head) page dumped because: kasan: bad access detected CPU: 1 PID: 2536 Comm: systemd-udevd Not tainted 4.5.0-rc3+ #47 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015 ffff880000038d8c ffff8803b0f1f1e8 ffffffff81933901 0000000000000080 ffff8803b0f1f280 ffff8803b0f1f270 ffffffff815602c5 ffffffff8284cf93 ffffffff822ddc00 0000000000000282 0000000000000001 ffff88009c7c6000 Call Trace: [<ffffffff81933901>] dump_stack+0x85/0xc4 [<ffffffff815602c5>] kasan_report_error+0x525/0x550 [<ffffffff815606e9>] kasan_report+0x39/0x40 [<ffffffff8155f84d>] memcpy+0x1d/0x40 [<ffffffffa120cb90>] smscore_set_device_mode+0xee0/0x2560 [smsmdtv] Such error happens at the memcpy code below: 0x4bc0 is in smscore_set_device_mode (drivers/media/common/siano/smscoreapi.c:975). 970 sizeof(u32) + payload_size)); 971 972 data_msg->mem_addr = mem_address; 973 memcpy(data_msg->payload, payload, payload_size); 974 975 rc = smscore_sendrequest_and_wait(coredev, data_msg, 976 data_msg->x_msg_header.msg_length, 977 &coredev->data_download_done); 978 979 payload += payload_size; The problem is that the Siano driver uses a header to store the firmware, with requires a few more bytes than allocated. Tested with: PCTV 77e (2013:0257) Hauppauge WinTV MiniStick (2040:5510) Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| sms-cards.c | ||
| sms-cards.h | ||
| smscoreapi.c | ||
| smscoreapi.h | ||
| smsdvb-debugfs.c | ||
| smsdvb-main.c | ||
| smsdvb.h | ||
| smsendian.c | ||
| smsendian.h | ||
| smsir.c | ||
| smsir.h | ||