From: Eric Snowberg <eric.snowberg@oracle.com>
To: grub-devel@gnu.org
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Subject: [PATCH v2] ieee1275: prevent buffer over-read
Date: Mon, 15 Feb 2016 10:53:45 -0800 [thread overview]
Message-ID: <1455562425-87254-1-git-send-email-eric.snowberg@oracle.com> (raw)
Prevent buffer over-read in grub_machine_mmap_iterate. This was
causing phys_base from being calculated properly. This then
caused the wrong value to be placed in ramdisk_image within
struct linux_hdrs. Which prevented the ramdisk from loading on
boot.
Newer SPARC systems contain more than 8 available memory entries.
For example on a T5-8 with 2TB of memory, the memory layout could
look like this:
T5-8 Memory
reg 00000000 30000000 0000003f b0000000
00000800 00000000 00000040 00000000
00001000 00000000 00000040 00000000
00001800 00000000 00000040 00000000
00002000 00000000 00000040 00000000
00002800 00000000 00000040 00000000
00003000 00000000 00000040 00000000
00003800 00000000 00000040 00000000
available 00003800 00000000 0000003f ffcae000
00003000 00000000 00000040 00000000
00002800 00000000 00000040 00000000
00002000 00000000 00000040 00000000
00001800 00000000 00000040 00000000
00001000 00000000 00000040 00000000
00000800 00000000 00000040 00000000
00000000 70000000 0000003f 70000000
00000000 6eef8000 00000000 00002000
00000000 30400000 00000000 3eaf6000
name memory
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
grub-core/kern/ieee1275/mmap.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/grub-core/kern/ieee1275/mmap.c b/grub-core/kern/ieee1275/mmap.c
index 911bb00..d7f6a1b 100644
--- a/grub-core/kern/ieee1275/mmap.c
+++ b/grub-core/kern/ieee1275/mmap.c
@@ -25,7 +25,7 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
{
grub_ieee1275_phandle_t root;
grub_ieee1275_phandle_t memory;
- grub_uint32_t available[32];
+ grub_uint32_t available[128];
grub_ssize_t available_size;
grub_uint32_t address_cells = 1;
grub_uint32_t size_cells = 1;
@@ -49,6 +49,9 @@ grub_machine_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
sizeof available, &available_size))
return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
"couldn't examine /memory/available property");
+ if (available_size > sizeof (available))
+ return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
+ "/memory response buffer exceeded");
if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_BROKEN_ADDRESS_CELLS))
{
--
1.7.1
next reply other threads:[~2016-02-15 18:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-15 18:53 Eric Snowberg [this message]
2016-02-22 7:02 ` [PATCH v2] ieee1275: prevent buffer over-read Andrei Borzenkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1455562425-87254-1-git-send-email-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).