From cbea92383d0d55fb4b4eb5833488bfee325254d6 Mon Sep 17 00:00:00 2001 From: Jeremy Kerr Date: Thu, 20 Dec 2007 16:39:59 +0900 Subject: [PATCH] [POWERPC] spufs: Don't leak kernel stack through an empty {i,m}box_info read Based on an original patch from Arnd Bergmann If there's no entry in the mailbox, then a read on the _info file will return data from an uninitialised variable. This change returns EOF if there's no mailbox info available instead. Signed-off-by: Jeremy Kerr Signed-off-by: Paul Mackerras --- arch/powerpc/platforms/cell/spufs/file.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c index ba6101ae73..3fcd06418b 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c +++ b/arch/powerpc/platforms/cell/spufs/file.c @@ -2026,13 +2026,13 @@ static const struct file_operations spufs_caps_fops = { static ssize_t __spufs_mbox_info_read(struct spu_context *ctx, char __user *buf, size_t len, loff_t *pos) { - u32 mbox_stat; u32 data; - mbox_stat = ctx->csa.prob.mb_stat_R; - if (mbox_stat & 0x0000ff) { - data = ctx->csa.prob.pu_mb_R; - } + /* EOF if there's no entry in the mbox */ + if (!(ctx->csa.prob.mb_stat_R & 0x0000ff)) + return 0; + + data = ctx->csa.prob.pu_mb_R; return simple_read_from_buffer(buf, len, pos, &data, sizeof data); } @@ -2066,13 +2066,13 @@ static const struct file_operations spufs_mbox_info_fops = { static ssize_t __spufs_ibox_info_read(struct spu_context *ctx, char __user *buf, size_t len, loff_t *pos) { - u32 ibox_stat; u32 data; - ibox_stat = ctx->csa.prob.mb_stat_R; - if (ibox_stat & 0xff0000) { - data = ctx->csa.priv2.puint_mb_R; - } + /* EOF if there's no entry in the ibox */ + if (!(ctx->csa.prob.mb_stat_R & 0xff0000)) + return 0; + + data = ctx->csa.priv2.puint_mb_R; return simple_read_from_buffer(buf, len, pos, &data, sizeof data); } -- 2.39.5