powerpc/rtas: fix array overrun in ppc_rtas() syscall
Michael Ellerman
mpe at ellerman.id.au
Wed Jul 6 00:10:13 AEST 2016
On Fri, 2016-18-03 at 06:36:33 UTC, Andrew Donnellan wrote:
> If ppc_rtas() is called with args.nargs == 16 and args.nret == 0, args.rets
> is set to point to &args.args[16], which is beyond the end of the args.args
> array. This results in a minor read overrun of the array when we check the
> first return code (which, per PAPR, is a required output of all RTAS calls)
> to see if there's been a hardware error.
>
> Change the nargs/nret check to ensure nargs is <= 15, allowing room for the
> status code. Users shouldn't be calling with nret == 0, but there's no real
> harm if they do, so we don't stop them.
>
> Signed-off-by: Andrew Donnellan <andrew.donnellan at au1.ibm.com>
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/a9862c7440f191439a51f77233
cheers
More information about the Linuxppc-dev
mailing list