[Bugme-new] [Bug 11397] New: possible buffer overflow on stack
bugme-daemon at bugzilla.kernel.org
bugme-daemon at bugzilla.kernel.org
Thu Aug 21 16:00:38 PDT 2008
http://bugzilla.kernel.org/show_bug.cgi?id=11397
Summary: possible buffer overflow on stack
Product: Drivers
Version: 2.5
KernelVersion: 2.6.26
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: PCI
AssignedTo: drivers_pci at kernel-bugs.osdl.org
ReportedBy: zrakamar at cs.ubc.ca
Problem Description:
The problem is actually pretty simple. Here is the piece of source code from
applicom.c which I believe has a bug:
static int do_ac_read(int IndexCard, char __user *buf,
struct st_ram_io *st_loc, struct mailbox *mailbox)
{
.....
unsigned char *to = (unsigned char *)&mailbox;
.....
{
int c;
for (c = 0; c < sizeof(struct mailbox); c++)
*(to++) = readb(from++);
}
I believe that the code should initialize the structure mailbox using readb.
However, it is actually writing over the pointer to mailbox because of this
line:
unsigned char *to = (unsigned char *)&mailbox;
I think this line should actually be:
unsigned char *to = (unsigned char *)mailbox;
I found this bug using my own static checker for low-level systems software
whose codename is Smack, which I am developing as a part of my PhD. For the
sake of my research (and also I am currently in the process of writing a
paper), I would greatly appreciate if you could confirm/dispute the bug.
Thanks!
-- Zvonimir
--
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the Bugme-new
mailing list