diff options
author | Jeremy Kerr <jk@ozlabs.org> | 2007-12-20 16:39:59 +0900 |
---|---|---|
committer | Paul Mackerras <paulus@samba.org> | 2007-12-21 19:46:22 +1100 |
commit | cbea92383d0d55fb4b4eb5833488bfee325254d6 (patch) | |
tree | 988bf369946836d95a549059d2d01998d252e673 | |
parent | 18789fb1c3311dd8c25acb6eb5ccab05771843f2 (diff) | |
download | kernel_samsung_tuna-cbea92383d0d55fb4b4eb5833488bfee325254d6.zip kernel_samsung_tuna-cbea92383d0d55fb4b4eb5833488bfee325254d6.tar.gz kernel_samsung_tuna-cbea92383d0d55fb4b4eb5833488bfee325254d6.tar.bz2 |
[POWERPC] spufs: Don't leak kernel stack through an empty {i,m}box_info read
Based on an original patch from Arnd Bergmann
<arnd.bergmann@de.ibm.com>
If there's no entry in the mailbox, then a read on the _info file will
return data from an uninitialised variable.
This change returns EOF if there's no mailbox info available instead.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
-rw-r--r-- | arch/powerpc/platforms/cell/spufs/file.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c index ba6101a..3fcd064 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c +++ b/arch/powerpc/platforms/cell/spufs/file.c @@ -2026,13 +2026,13 @@ static const struct file_operations spufs_caps_fops = { static ssize_t __spufs_mbox_info_read(struct spu_context *ctx, char __user *buf, size_t len, loff_t *pos) { - u32 mbox_stat; u32 data; - mbox_stat = ctx->csa.prob.mb_stat_R; - if (mbox_stat & 0x0000ff) { - data = ctx->csa.prob.pu_mb_R; - } + /* EOF if there's no entry in the mbox */ + if (!(ctx->csa.prob.mb_stat_R & 0x0000ff)) + return 0; + + data = ctx->csa.prob.pu_mb_R; return simple_read_from_buffer(buf, len, pos, &data, sizeof data); } @@ -2066,13 +2066,13 @@ static const struct file_operations spufs_mbox_info_fops = { static ssize_t __spufs_ibox_info_read(struct spu_context *ctx, char __user *buf, size_t len, loff_t *pos) { - u32 ibox_stat; u32 data; - ibox_stat = ctx->csa.prob.mb_stat_R; - if (ibox_stat & 0xff0000) { - data = ctx->csa.priv2.puint_mb_R; - } + /* EOF if there's no entry in the ibox */ + if (!(ctx->csa.prob.mb_stat_R & 0xff0000)) + return 0; + + data = ctx->csa.priv2.puint_mb_R; return simple_read_from_buffer(buf, len, pos, &data, sizeof data); } |