[Skiboot] [PATCH] opal: Fix buffer overrun in print_* functions.
Stewart Smith
stewart at linux.vnet.ibm.com
Wed Jan 14 11:42:22 AEDT 2015
Mahesh J Salgaonkar <mahesh at linux.vnet.ibm.com> writes:
> From: Mahesh Salgaonkar <mahesh at linux.vnet.ibm.com>
>
> While running HMI tests I saw massive corruption in OPAL for one of the
> HMI test that injects TB error. On investigation I found that
> vsnprintf()->print_itoa() was the culprit. print_itoa function uses tmp
> array of size 16 to convert unsigned long value to ASCII. But an unsigned
> value of 0xffffffffffffffff needs atleast 25 characters to print its ASCII
> representation. This caused an array to overflow resulting into corruption,
> unpredictable behavior and finally system termination.
This looks like fun and totally requires some close review.
I'd love it if you could add some unit tests for it that showed both the
bugs and that the fixes work.
More information about the Skiboot
mailing list