diff options
| author | Chen Gang <gang.chen@asianux.com> | 2013-04-22 17:12:54 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-07-09 10:51:21 -0700 |
| commit | a1ca0f8ee2e5874e309f2a9956e74edfdf541ce4 (patch) | |
| tree | f2ce4fcebff9470837635b86c66abba61bef78af | |
| parent | 0b36b7f617524596dc8900c1f8c3ab051c6b9dc5 (diff) | |
| download | linux-stable-a1ca0f8ee2e5874e309f2a9956e74edfdf541ce4.tar.gz linux-stable-a1ca0f8ee2e5874e309f2a9956e74edfdf541ce4.tar.bz2 linux-stable-a1ca0f8ee2e5874e309f2a9956e74edfdf541ce4.zip | |
powerpc/pseries/lparcfg: Fix possible overflow are more than 1026
commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream.
need set '\0' for 'local_buffer'.
SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of
rtas_data_buf may truncated in memcpy.
if contents are really truncated.
the splpar_strlen is more than 1026. the next while loop checking will
not find the end of buffer. that will cause memory access violation.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Yijing Wang <wangyijing@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | arch/powerpc/kernel/lparcfg.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c index 7ebbae0e005a..f62fda1b6d61 100644 --- a/arch/powerpc/kernel/lparcfg.c +++ b/arch/powerpc/kernel/lparcfg.c @@ -307,6 +307,7 @@ static void parse_system_parameter_string(struct seq_file *m) __pa(rtas_data_buf), RTAS_DATA_BUF_SIZE); memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); + local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; spin_unlock(&rtas_data_buf_lock); if (call_status != 0) { |