* Re: [PATCH] bttv: correct bttv_risc_packed buffer size
[not found] <5yQ4M-7PJ-11@gated-at.bofh.it>
@ 2006-01-25 18:37 ` Bodo Eggert
2006-01-26 8:02 ` Duncan Sands
0 siblings, 1 reply; 3+ messages in thread
From: Bodo Eggert @ 2006-01-25 18:37 UTC (permalink / raw)
To: Duncan Sands, mchehab, Linux Kernel list
Duncan Sands <duncan.sands@math.u-psud.fr> wrote:
> This patch fixes the strange crashes I was seeing after using
> my bttv card to watch television. They were caused by a
> buffer overflow in bttv_risc_packed.
<snip>
Would these errors e.g. cause a corruption of exactly four bytes at the start
of random pages?
--
Ich danke GMX dafür, die Verwendung meiner Adressen mittels per SPF
verbreiteten Lügen zu sabotieren.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] bttv: correct bttv_risc_packed buffer size
2006-01-25 18:37 ` [PATCH] bttv: correct bttv_risc_packed buffer size Bodo Eggert
@ 2006-01-26 8:02 ` Duncan Sands
0 siblings, 0 replies; 3+ messages in thread
From: Duncan Sands @ 2006-01-26 8:02 UTC (permalink / raw)
To: 7eggert; +Cc: mchehab, Linux Kernel list
Hi Bodo,
> > This patch fixes the strange crashes I was seeing after using
> > my bttv card to watch television. They were caused by a
> > buffer overflow in bttv_risc_packed.
>
> <snip>
>
> Would these errors e.g. cause a corruption of exactly four bytes at the start
> of random pages?
I don't think so. It should cause either no corruption or at least 8 bytes worth
(it does pairs of 4 byte writes). What you might see is an Oops when it tries to
write the first 4 bytes at the start of a page, because of a page fault, but then
the write doesn't happen and there is no corruption...
Best wishes,
Duncan.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] bttv: correct bttv_risc_packed buffer size
@ 2006-01-25 10:24 Duncan Sands
0 siblings, 0 replies; 3+ messages in thread
From: Duncan Sands @ 2006-01-25 10:24 UTC (permalink / raw)
To: mchehab; +Cc: Linux Kernel list
[-- Attachment #1: Type: text/plain, Size: 1346 bytes --]
This patch fixes the strange crashes I was seeing after using
my bttv card to watch television. They were caused by a
buffer overflow in bttv_risc_packed.
The instruction buffer size calculation contains two errors:
(a) a non-zero padding value can push the start of the next bpl
section to just before a page border, leading to more scanline
splits and thus additional instructions.
(b) the first DMA region can be smaller than one page, so there can
be a scanline split even if bpl*lines is smaller than PAGE_SIZE.
For example, consider the case where offset is 0, bpl is 2, padding
is 4094, lines is smaller than 2048, the first DMA region has size 1
and all others have size PAGE_SIZE, assumed to equal 4096. Then
all bpl regions cross page borders and the number of instructions
written is 2*lines+2, rather than lines+2 (the current estimate).
With this patch the number of instructions for this example is
estimated to be 2*lines+3.
Also, the BUG_ON that was supposed to catch buffer overflows contained
a thinko causing it fire only if the buffer was overrun by a factor of
16 or more.
I didn't check whether similar mistakes exist elsewhere in the bttv
code.
Signed-off-by: Duncan Sands <baldrick@free.fr>
PS: I'm sending the patch as an attachment because for some reason my
mailer crashes if I try to insert it into the email.
[-- Attachment #2: bttv --]
[-- Type: text/x-diff, Size: 1056 bytes --]
Index: Linux/drivers/media/video/bttv-risc.c
===================================================================
--- Linux.orig/drivers/media/video/bttv-risc.c 2006-01-24 10:09:21.000000000 +0100
+++ Linux/drivers/media/video/bttv-risc.c 2006-01-24 10:16:06.000000000 +0100
@@ -51,8 +51,10 @@
int rc;
/* estimate risc mem: worst case is one write per page border +
- one write per scan line + sync + jump (all 2 dwords) */
- instructions = (bpl * lines) / PAGE_SIZE + lines;
+ one write per scan line + sync + jump (all 2 dwords). padding
+ can cause next bpl to start close to a page border. First DMA
+ region may be smaller than PAGE_SIZE */
+ instructions = 1 + ((bpl + padding) * lines) / PAGE_SIZE + lines;
instructions += 2;
if ((rc = btcx_riscmem_alloc(btv->c.pci,risc,instructions*8)) < 0)
return rc;
@@ -104,7 +106,7 @@
/* save pointer to jmp instruction address */
risc->jmp = rp;
- BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size);
+ BUG_ON(4 * (risc->jmp - risc->cpu + 2) > risc->size);
return 0;
}
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-01-26 8:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <5yQ4M-7PJ-11@gated-at.bofh.it>
2006-01-25 18:37 ` [PATCH] bttv: correct bttv_risc_packed buffer size Bodo Eggert
2006-01-26 8:02 ` Duncan Sands
2006-01-25 10:24 Duncan Sands
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).