From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chen Gang , Benjamin Herrenschmidt , Ben Hutchings , Yijing Wang Subject: [PATCH 3.4 41/44] powerpc/pseries/lparcfg: Fix possible overflow are more than 1026 Date: Mon, 7 Jul 2014 17:07:31 -0700 Message-Id: <20140707235859.863633026@linuxfoundation.org> In-Reply-To: <20140707235858.652771077@linuxfoundation.org> References: <20140707235858.652771077@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Chen Gang commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream. need set '\0' for 'local_buffer'. SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of rtas_data_buf may truncated in memcpy. if contents are really truncated. the splpar_strlen is more than 1026. the next while loop checking will not find the end of buffer. that will cause memory access violation. Signed-off-by: Chen Gang Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/kernel/lparcfg.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/powerpc/kernel/lparcfg.c +++ b/arch/powerpc/kernel/lparcfg.c @@ -307,6 +307,7 @@ static void parse_system_parameter_strin __pa(rtas_data_buf), RTAS_DATA_BUF_SIZE); memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); + local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; spin_unlock(&rtas_data_buf_lock); if (call_status != 0) {