[Skiboot] [PATCH] opal: Fix buffer overrun in print_* functions.
Benjamin Herrenschmidt
benh at au1.ibm.com
Wed Jan 14 19:56:54 AEDT 2015
On Wed, 2015-01-14 at 13:42 +1300, Stewart Smith wrote:
> Mahesh J Salgaonkar <mahesh at linux.vnet.ibm.com> writes:
> > From: Mahesh Salgaonkar <mahesh at linux.vnet.ibm.com>
> >
> > While running HMI tests I saw massive corruption in OPAL for one of the
> > HMI test that injects TB error. On investigation I found that
> > vsnprintf()->print_itoa() was the culprit. print_itoa function uses tmp
> > array of size 16 to convert unsigned long value to ASCII. But an unsigned
> > value of 0xffffffffffffffff needs atleast 25 characters to print its ASCII
> > representation. This caused an array to overflow resulting into corruption,
> > unpredictable behavior and finally system termination.
>
> This looks like fun and totally requires some close review.
>
> I'd love it if you could add some unit tests for it that showed both the
> bugs and that the fixes work.
Interesting that -fstack-protector didn't catch it ...
Ben.
More information about the Skiboot
mailing list