[PATCH 11/24] powerpc/pseries/lparcfg: Fix possible overflow are more than 1026

Kamal Mostafa kamal at canonical.com
Mon Sep 9 18:45:01 UTC 2013 -stable review patch.  If anyone has any objections, please let me know.


From: Chen Gang <gang.chen at asianux.com>

commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream.

need set '\0' for 'local_buffer'.

SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of
rtas_data_buf may truncated in memcpy.

if contents are really truncated.
  the splpar_strlen is more than 1026. the next while loop checking will
  not find the end of buffer. that will cause memory access violation.

Signed-off-by: Chen Gang <gang.chen at asianux.com>
Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
 arch/powerpc/kernel/lparcfg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
index 801a757..d92f387 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -299,6 +299,7 @@ static void parse_system_parameter_string(struct seq_file *m)
 	memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+	local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
 	if (call_status != 0) {

More information about the kernel-team mailing list