aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeremy Kerr <jk@ozlabs.org>2007-12-20 16:39:59 +0900
committerPaul Mackerras <paulus@samba.org>2007-12-21 19:46:22 +1100
commitcbea92383d0d55fb4b4eb5833488bfee325254d6 (patch)
tree988bf369946836d95a549059d2d01998d252e673
parent18789fb1c3311dd8c25acb6eb5ccab05771843f2 (diff)
downloadkernel_samsung_tuna-cbea92383d0d55fb4b4eb5833488bfee325254d6.zip
kernel_samsung_tuna-cbea92383d0d55fb4b4eb5833488bfee325254d6.tar.gz
kernel_samsung_tuna-cbea92383d0d55fb4b4eb5833488bfee325254d6.tar.bz2
[POWERPC] spufs: Don't leak kernel stack through an empty {i,m}box_info read
Based on an original patch from Arnd Bergmann <arnd.bergmann@de.ibm.com> If there's no entry in the mailbox, then a read on the _info file will return data from an uninitialised variable. This change returns EOF if there's no mailbox info available instead. Signed-off-by: Jeremy Kerr <jk@ozlabs.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
-rw-r--r--arch/powerpc/platforms/cell/spufs/file.c20
1 files changed, 10 insertions, 10 deletions
diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
index ba6101a..3fcd064 100644
--- a/arch/powerpc/platforms/cell/spufs/file.c
+++ b/arch/powerpc/platforms/cell/spufs/file.c
@@ -2026,13 +2026,13 @@ static const struct file_operations spufs_caps_fops = {
static ssize_t __spufs_mbox_info_read(struct spu_context *ctx,
char __user *buf, size_t len, loff_t *pos)
{
- u32 mbox_stat;
u32 data;
- mbox_stat = ctx->csa.prob.mb_stat_R;
- if (mbox_stat & 0x0000ff) {
- data = ctx->csa.prob.pu_mb_R;
- }
+ /* EOF if there's no entry in the mbox */
+ if (!(ctx->csa.prob.mb_stat_R & 0x0000ff))
+ return 0;
+
+ data = ctx->csa.prob.pu_mb_R;
return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
}
@@ -2066,13 +2066,13 @@ static const struct file_operations spufs_mbox_info_fops = {
static ssize_t __spufs_ibox_info_read(struct spu_context *ctx,
char __user *buf, size_t len, loff_t *pos)
{
- u32 ibox_stat;
u32 data;
- ibox_stat = ctx->csa.prob.mb_stat_R;
- if (ibox_stat & 0xff0000) {
- data = ctx->csa.priv2.puint_mb_R;
- }
+ /* EOF if there's no entry in the ibox */
+ if (!(ctx->csa.prob.mb_stat_R & 0xff0000))
+ return 0;
+
+ data = ctx->csa.priv2.puint_mb_R;
return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
}