From: Tim Sell Date: Mon, 13 Jul 2015 18:51:24 +0000 (-0400) Subject: staging: unisys: fix random memory corruption in visorchannel_write() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d253058f490febdfdbe0a0f09a25166c71afd2b3;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git staging: unisys: fix random memory corruption in visorchannel_write() visorchannel_write() and it's user visorbus_write_channel() are exported, so all visorbus function drivers (i.e., drivers that call visorbus_register_visor_driver()) are potentially affected by the bug. Because of pointer-arithmetic rules, the address being written to in the affected code was actually at byte offset: sizeof(struct channel_header) * offset instead of just bytes as intended. The bug could cause some very difficult-to-diagnose symptoms. The particular problem that led me on this chase was a kernel fault that would occur during 'insmod visornic' after a previous 'rmmod visornic', where we would fault during netdev_register_kobject() within pm_runtime_set_memalloc_noio() while traversing a device list, which occurred because dev->parent for the visorbus device had become corrupted. Fixes: 0abb60c1c ('staging: unisys: visorchannel_write(): Handle...') Signed-off-by: Tim Sell Acked-by: Don Zickus Signed-off-by: Benjamin Romer Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c index 20b63496e9f2..af349c8a3693 100644 --- a/drivers/staging/unisys/visorbus/visorchannel.c +++ b/drivers/staging/unisys/visorbus/visorchannel.c @@ -259,7 +259,8 @@ visorchannel_write(struct visorchannel *channel, ulong offset, if (offset < chdr_size) { copy_size = min(chdr_size - offset, nbytes); - memcpy(&channel->chan_hdr + offset, local, copy_size); + memcpy(((char *)(&channel->chan_hdr)) + offset, + local, copy_size); } memcpy_toio(channel->mapped + offset, local, nbytes);