[Cbe-oss-dev] [PATCH] powerpc/spufs: Fix incorrect buffer offset in regs write

Geert Uytterhoeven Geert.Uytterhoeven at sonycom.com
Wed Mar 4 19:36:53 EST 2009


On Wed, 4 Mar 2009, Jeremy Kerr wrote:
> We need to offset by *pos bytes, not *pos words.
> 
> Signed-off-by: Jeremy Kerr <jk at ozlabs.org>
> 
> ---
>  arch/powerpc/platforms/cell/spufs/file.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
> index 83ef889..6b10877 100644
> --- a/arch/powerpc/platforms/cell/spufs/file.c
> +++ b/arch/powerpc/platforms/cell/spufs/file.c
> @@ -578,7 +578,7 @@ spufs_regs_write(struct file *file, const char __user *buffer,
>  	if (ret)
>  		return ret;
>  
> -	ret = copy_from_user(lscsa->gprs + *pos - size,
> +	ret = copy_from_user((char *)lscsa->gprs + *pos - size,
>  			     buffer, size) ? -EFAULT : size;
>  
>  	spu_release_saved(ctx);

Could this be abused by an attacker to write registers or local store he's not
allowed to do?

Should it be backported to stable?

With kind regards,

Geert Uytterhoeven
Software Architect

Sony Techsoft Centre Europe
The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium

Phone:    +32 (0)2 700 8453
Fax:      +32 (0)2 700 8622
E-mail:   Geert.Uytterhoeven at sonycom.com
Internet: http://www.sony-europe.com/

A division of Sony Europe (Belgium) N.V.
VAT BE 0413.825.160 · RPR Brussels
Fortis · BIC GEBABEBB · IBAN BE41293037680010



More information about the cbe-oss-dev mailing list