powerpc/pseries/lparcfg: Fix possible overflow are more than 1026

need set '\0' for 'local_buffer'. SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of rtas_data_buf may truncated in memcpy. if contents are really truncated. the splpar_strlen is more than 1026. the next while loop checking will not find the end of buffer. that will cause memory access violation. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>

powerpc/pseries/lparcfg: Fix possible overflow are more than 1026
need set '\0' for 'local_buffer'. SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of rtas_data_buf may truncated in memcpy. if contents are really truncated. the splpar_strlen is more than 1026. the next while loop checking will not find the end of buffer. that will cause memory access violation. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
5676005a · Chen Gang · Benjamin Herrenschmidt · ebd004e4 · 5676005a
Commit 5676005a authored Apr 22, 2013 by Chen Gang Committed by Benjamin Herrenschmidt Apr 23, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

arch/powerpc/kernel/lparcfg.c arch/powerpc/kernel/lparcfg.c +1 -0

No files found.
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -301,6 +301,7 @@ static void parse_system_parameter_string(struct seq_file *m)
 				__pa(rtas_data_buf),
 				RTAS_DATA_BUF_SIZE);
 	memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+	local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
 	spin_unlock(&rtas_data_buf_lock);

 	if (call_status != 0) {