[PATCH] powerpc/rtas: fix array overrun in ppc_rtas() syscall

[Andrew Donnellan]

If ppc_rtas() is called with args.nargs == 16 and args.nret == 0, args.rets
is set to point to &args.args[16], which is beyond the end of the args.args
array. This results in a minor read overrun of the array when we check the
first return code (which, per PAPR, is a required output of all RTAS calls)
to see if there's been a hardware error.

Change the nargs/nret check to ensure nargs is <= 15, allowing room for the
status code. Users shouldn't be calling with nret == 0, but there's no real
harm if they do, so we don't stop them.

Signed-off-by: Andrew Donnellan <andrew.donnellan at au1.ibm.com>

---

Found with the assistance of Coverity Scan.

The dodgy read doesn't currently leak anything at all to userspace, as
args.rets isn't copied back to userspace.
---
 arch/powerpc/kernel/rtas.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index 28736ff..8da209f 100644
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -1070,7 +1070,7 @@ asmlinkage int ppc_rtas(struct rtas_args __user *uargs)
 	nret  = be32_to_cpu(args.nret);
 	token = be32_to_cpu(args.token);
 
-	if (nargs > ARRAY_SIZE(args.args)
+	if (nargs >= ARRAY_SIZE(args.args)
 	    || nret > ARRAY_SIZE(args.args)
 	    || nargs + nret > ARRAY_SIZE(args.args))
 		return -EINVAL;
-- 
Andrew Donnellan              Software Engineer, OzLabs
andrew.donnellan at au1.ibm.com  Australia Development Lab, Canberra
+61 2 6201 8874 (work)        IBM Australia Limited