[Cbe-oss-dev] [PATCH] powerpc/spufs: Fix incorrect buffer offset in regs write
Geert Uytterhoeven
Geert.Uytterhoeven at sonycom.com
Wed Mar 4 19:36:53 EST 2009
On Wed, 4 Mar 2009, Jeremy Kerr wrote:
> We need to offset by *pos bytes, not *pos words.
>
> Signed-off-by: Jeremy Kerr <jk at ozlabs.org>
>
> ---
> arch/powerpc/platforms/cell/spufs/file.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
> index 83ef889..6b10877 100644
> --- a/arch/powerpc/platforms/cell/spufs/file.c
> +++ b/arch/powerpc/platforms/cell/spufs/file.c
> @@ -578,7 +578,7 @@ spufs_regs_write(struct file *file, const char __user *buffer,
> if (ret)
> return ret;
>
> - ret = copy_from_user(lscsa->gprs + *pos - size,
> + ret = copy_from_user((char *)lscsa->gprs + *pos - size,
> buffer, size) ? -EFAULT : size;
>
> spu_release_saved(ctx);
Could this be abused by an attacker to write registers or local store he's not
allowed to do?
Should it be backported to stable?
With kind regards,
Geert Uytterhoeven
Software Architect
Sony Techsoft Centre Europe
The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium
Phone: +32 (0)2 700 8453
Fax: +32 (0)2 700 8622
E-mail: Geert.Uytterhoeven at sonycom.com
Internet: http://www.sony-europe.com/
A division of Sony Europe (Belgium) N.V.
VAT BE 0413.825.160 · RPR Brussels
Fortis · BIC GEBABEBB · IBAN BE41293037680010
More information about the Linuxppc-dev
mailing list