[Cbe-oss-dev] [PATCH v2] spufs: Don't copy unintialised data during mbox_info reads

[Arnd Bergmann]

For the spufs {m,i}box_info files, we always copy data out,
independent of whether the respective mailbox contains
data or not, so we can leak uninitialized stack data
and get unexpected behaviour.

This change makes the {m,i}box_info behave like the wbox_info
file and only copy out data that is actually present.

Signed-off-by: Arnd Bergmann <arnd.bergmann at de.ibm.com>

---

On Friday 06 July 2007, Arnd Bergmann wrote:

> I think the fix should not be to return zeroes, because that
> is not the actual content of the mailbox, but rather to 
> not read any data at all if there is none.
> 
> Note that for wbox we already do it correctly, only ibox and mbox
> have this bug.

Index: linux-2.6/arch/powerpc/platforms/cell/spufs/file.c
===================================================================
--- linux-2.6.orig/arch/powerpc/platforms/cell/spufs/file.c
+++ linux-2.6/arch/powerpc/platforms/cell/spufs/file.c
@@ -1830,10 +1830,10 @@ static ssize_t __spufs_mbox_info_read(st
 	u32 data;
 
 	mbox_stat = ctx->csa.prob.mb_stat_R;
-	if (mbox_stat & 0x0000ff) {
-		data = ctx->csa.prob.pu_mb_R;
-	}
+	if (!(mbox_stat & 0x0000ff))
+		return 0;
 
+	data = ctx->csa.prob.pu_mb_R;
 	return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
 }
 
@@ -1868,10 +1868,10 @@ static ssize_t __spufs_ibox_info_read(st
 	u32 data;
 
 	ibox_stat = ctx->csa.prob.mb_stat_R;
-	if (ibox_stat & 0xff0000) {
-		data = ctx->csa.priv2.puint_mb_R;
-	}
+	if (!(ibox_stat & 0xff0000))
+		return 0;
 
+	data = ctx->csa.priv2.puint_mb_R;
 	return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
 }