lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4B064B08.8090901@ladisch.de>
Date:	Fri, 20 Nov 2009 08:53:44 +0100
From:	Clemens Ladisch <clemens@...isch.de>
To:	Greg Kroah-Hartman <gregkh@...e.de>
CC:	Der Mickster <retroeffective@...il.com>,
	David Woodhouse <David.Woodhouse@...el.com>,
	linux-kernel@...r.kernel.org
Subject: [PATCH] emi62: fix crash when trying to load EMI 6|2 firmware

While converting emi62 to use request_firmware(), the driver was
also changed to use the ihex helper functions. However, this broke
the loading of the FPGA firmware because the code tries to access
the addr field of the EOF record which works with a plain array that
has an empty last record but not with the ihex helper functions
where the end of the data is signaled with a NULL record pointer,
resulting in:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<f80d248c>] emi62_load_firmware+0x33c/0x740 [emi62]

This can be fixed by changing the loop condition to test the return
value of ihex_next_binrec() directly (like in emi26.c).

Signed-off-by: Clemens Ladisch <clemens@...isch.de>
Reported-and-tested-by: Der Mickster <retroeffective@...il.com>
Acked-By: David Woodhouse <David.Woodhouse@...el.com>
Cc: <stable@...nel.org>

--- sad-penguin/drivers/usb/misc/emi62.c
+++ happy-penguin/drivers/usb/misc/emi62.c
@@ -167,7 +167,7 @@ static int emi62_load_firmware (struct u
 			err("%s - error loading firmware: error = %d", __func__, err);
 			goto wraperr;
 		}
-	} while (i > 0);
+	} while (rec);
 
 	/* Assert reset (stop the CPU in the EMI) */
 	err = emi62_set_reset(dev,1);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ