| From b4c233057771581698a13694ab6f33b48ce837dc Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Thu, 5 Dec 2013 17:53:50 +0300 |
| Subject: mtd: sm_ftl: heap corruption in sm_create_sysfs_attributes() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit b4c233057771581698a13694ab6f33b48ce837dc upstream. |
| |
| We always put a NUL terminator one space past the end of the "vendor" |
| buffer. Walter Harms also pointed out that this should just use |
| kstrndup(). |
| |
| Fixes: 7d17c02a01a1 ('mtd: Add new SmartMedia/xD FTL') |
| |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Brian Norris <computersforpeace@gmail.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/mtd/sm_ftl.c | 11 ++++------- |
| 1 file changed, 4 insertions(+), 7 deletions(-) |
| |
| --- a/drivers/mtd/sm_ftl.c |
| +++ b/drivers/mtd/sm_ftl.c |
| @@ -59,15 +59,12 @@ struct attribute_group *sm_create_sysfs_ |
| struct attribute_group *attr_group; |
| struct attribute **attributes; |
| struct sm_sysfs_attribute *vendor_attribute; |
| + char *vendor; |
| |
| - int vendor_len = strnlen(ftl->cis_buffer + SM_CIS_VENDOR_OFFSET, |
| - SM_SMALL_PAGE - SM_CIS_VENDOR_OFFSET); |
| - |
| - char *vendor = kmalloc(vendor_len, GFP_KERNEL); |
| + vendor = kstrndup(ftl->cis_buffer + SM_CIS_VENDOR_OFFSET, |
| + SM_SMALL_PAGE - SM_CIS_VENDOR_OFFSET, GFP_KERNEL); |
| if (!vendor) |
| goto error1; |
| - memcpy(vendor, ftl->cis_buffer + SM_CIS_VENDOR_OFFSET, vendor_len); |
| - vendor[vendor_len] = 0; |
| |
| /* Initialize sysfs attributes */ |
| vendor_attribute = |
| @@ -78,7 +75,7 @@ struct attribute_group *sm_create_sysfs_ |
| sysfs_attr_init(&vendor_attribute->dev_attr.attr); |
| |
| vendor_attribute->data = vendor; |
| - vendor_attribute->len = vendor_len; |
| + vendor_attribute->len = strlen(vendor); |
| vendor_attribute->dev_attr.attr.name = "vendor"; |
| vendor_attribute->dev_attr.attr.mode = S_IRUGO; |
| vendor_attribute->dev_attr.show = sm_attr_show; |