[PATCH] PowerPC: kernel: memory access violation when rtas_data_buf contents are more than 1026
Vasant Hegde
hegdevasant at linux.vnet.ibm.com
Wed Apr 24 16:28:04 EST 2013
On 04/23/2013 08:42 AM, Chen Gang wrote:
>
> need set '\0' for 'local_buffer'.
>
> SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of
> rtas_data_buf may truncated in memcpy.
>
> if contents are really truncated.
> the splpar_strlen is more than 1026. the next while loop checking will
> not find the end of buffer. that will cause memory access violation.
>
Per parameter length in ibm,get-system-parameter RTAS call is limited to 1026
bytes (1024 bytes of data + 2 bytes length). And 'rtas_data_buf' was set to 0
(first 1026 bytes) before call RTAS call. At the worst if we get junk in RTAS
output length field helps to exit from the while loop. So I don't think we need
this patch.
-Vasant
>
> Signed-off-by: Chen Gang<gang.chen at asianux.com>
> ---
> arch/powerpc/kernel/lparcfg.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
> index 801a757..d92f387 100644
> --- a/arch/powerpc/kernel/lparcfg.c
> +++ b/arch/powerpc/kernel/lparcfg.c
> @@ -299,6 +299,7 @@ static void parse_system_parameter_string(struct seq_file *m)
> __pa(rtas_data_buf),
> RTAS_DATA_BUF_SIZE);
> memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
> + local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
> spin_unlock(&rtas_data_buf_lock);
>
> if (call_status != 0) {
More information about the Linuxppc-dev
mailing list