diff options
authorAndi Kleen <>2020-05-30 14:51:18 +1000
committerStephen Rothwell <>2020-06-02 19:28:40 +1000
commitcffaeabf2a6f6d912f74d1662374da177cef5a2d (patch)
parent8fa6b73312f027f5712493ca27af57f51e1eb4ab (diff)
drivers/media/platform/sti/delta/delta-ipc.c: fix read buffer overflow
The single caller passes a string to delta_ipc_open, which copies with a fixed size larger than the string. So it copies some random data after the original string the ro segment. If the string was at the end of a page it may fault. Just copy the string with a normal strcpy after clearing the field. Found by a LTO build (which errors out) because the compiler inlines the functions and can resolve the string sizes and triggers the compile time checks in memcpy. In function `memcpy', inlined from `delta_ipc_open.constprop' at linux/drivers/media/platform/sti/delta/delta-ipc.c:178:0, inlined from `delta_mjpeg_ipc_open' at linux/drivers/media/platform/sti/delta/delta-mjpeg-dec.c:227:0, inlined from `delta_mjpeg_decode' at linux/drivers/media/platform/sti/delta/delta-mjpeg-dec.c:403:0: /home/andi/lsrc/linux/include/linux/string.h:337:0: error: call to `__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter __read_overflow2(); Link: Signed-off-by: Andi Kleen <> Cc: Hugues FRUCHET <> Signed-off-by: Andrew Morton <> Signed-off-by: Stephen Rothwell <>
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/media/platform/sti/delta/delta-ipc.c b/drivers/media/platform/sti/delta/delta-ipc.c
index 186d88f02ecd..371429d81ea1 100644
--- a/drivers/media/platform/sti/delta/delta-ipc.c
+++ b/drivers/media/platform/sti/delta/delta-ipc.c
@@ -175,8 +175,8 @@ int delta_ipc_open(struct delta_ctx *pctx, const char *name,
msg.ipc_buf_size = ipc_buf_size;
msg.ipc_buf_paddr = ctx->ipc_buf->paddr;
- memcpy(, name, sizeof(;
-[sizeof( - 1] = 0;
+ memset(, 0, sizeof(;
+ strcpy(, name);
msg.param_size = param->size;
memcpy(ctx->ipc_buf->vaddr, param->data, msg.param_size);