Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 878b8619f711280fd05845e21956434b5e588cc4

Authored by Mikulas Patocka
Committed by Linus Torvalds
1 parent f984d02419
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

Fix memory corruption in console selection 

Fix an off-by-two memory error in console selection.

The loop below goes from sel_start to sel_end (inclusive), so it writes
one more character.  This one more character was added to the allocated
size (+1), but it was not multiplied by an UTF-8 multiplier.

This patch fixes a memory corruption when UTF-8 console is used and the
user selects a few characters, all of them 3-byte in UTF-8 (for example
a frame line).

When memory redzones are enabled, a redzone corruption is reported.
When they are not enabled, trashing of random memory occurs.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff

drivers/char/selection.c
Diff comments   View file @ 878b861
... ... @@ -268,7 +268,7 @@
268 268  
269 269 /* Allocate a new buffer before freeing the old one ... */
270 270 multiplier = use_unicode ? 3 : 1; /* chars can take up to 3 bytes */
271   - bp = kmalloc((sel_end-sel_start)/2*multiplier+1, GFP_KERNEL);
  271 + bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
272 272 if (!bp) {
273 273 printk(KERN_WARNING "selection: kmalloc() failed\n");
274 274 clear_selection();