[3.5.y.z extended stable] Patch "powerpc/pseries/lparcfg: Fix possible overflow are more than" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Mon Oct 28 10:29:51 UTC 2013 

This is a note to let you know that I have just added a patch titled

    powerpc/pseries/lparcfg: Fix possible overflow are more than

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 92424fae9717e2a684dd4f57a30939ddf60b4251 Mon Sep 17 00:00:00 2001
From: Chen Gang <gang.chen at asianux.com>
Date: Mon, 22 Apr 2013 17:12:54 +0000
Subject: [PATCH] powerpc/pseries/lparcfg: Fix possible overflow are more than
 1026

commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream.

need set '\0' for 'local_buffer'.

SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of
rtas_data_buf may truncated in memcpy.

if contents are really truncated.
  the splpar_strlen is more than 1026. the next while loop checking will
  not find the end of buffer. that will cause memory access violation.

Signed-off-by: Chen Gang <gang.chen at asianux.com>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 arch/powerpc/kernel/lparcfg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
index 7ebbae0..f62fda1 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -307,6 +307,7 @@ static void parse_system_parameter_string(struct seq_file *m)
 				__pa(rtas_data_buf),
 				RTAS_DATA_BUF_SIZE);
 	memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+	local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
 	spin_unlock(&rtas_data_buf_lock);

 	if (call_status != 0) {
--
1.8.3.2

More information about the kernel-team mailing list