[Skiboot] [PATCH v2 2/2] opal: Fix buffer overrun in print_* functions.

Ananth N Mavinakayanahalli ananth at in.ibm.com
Mon Jan 19 16:07:40 AEDT 2015 

On Thu, Jan 15, 2015 at 12:02:06AM +0530, Mahesh J Salgaonkar wrote:
> From: Mahesh Salgaonkar <mahesh at linux.vnet.ibm.com>
> 
> While running HMI tests I saw a massive corruption in OPAL for one of the
> HMI test that injects TB error. On investigation I found that
> vsnprintf()->print_itoa() was the culprit. print_itoa function uses tmp
> array of size 16 to convert unsigned long value to ASCII. But an unsigned
> value of 0xffffffffffffffff needs atleast 25 characters to print its ASCII
> representation. This caused an array to overflow resulting into corruption,
> unpredictable behavior and finally system termination.
> 
> We could fix this by increasing the size of tmp[] array but that still won't
> fix this bug completely. While auditing vsnprintf() function I found that
> it makes use of print_*() functions to write data to buffer. But none of
> the print_* function have any check on buffer size before writing data to it.
> Without size check print_*() can easily overrun buffer passed by
> vprlog()->vsnprintf()->print_format()->print_*() causing massive corruption
> leading to unpredictable behavior.
> 
> This patch fixes this bug by modifying print_*() function to check for
> buffer size to avoid buffer overrun.
> 
> - Modified print_format(), print_fill() and print_itoa() to take bufsize
>   as argument and added a size check while writing to buffer.
> - Remove temporary array from print_itoa(), instead write data directly to
>   buffer.
> - Added two new function print_str_fill() and print_str() to be used as
>   helper routine for '%s' fmt case in print_format() function. These new
>   routines now has a check on buffer size while copying NULL terminated
>   string to buffer.
> - Added "!bufsize" check in vsnprintf() to avoid buffer overrun while
>   setting NULL character before returning.
> 
> I ran HMI tests with this patch successfully. I also tested this patch by
> reducing size of the buffer (in core/console-log.c:vprlog()) from 320 to 50
> and booted the lid successfully with no corruption at all.
> 
> Please review this patch.
> 
> Signed-off-by: Mahesh Salgaonkar <mahesh at linux.vnet.ibm.com>

Acked-by: Ananth N Mavinakayanahalli <ananth at in.ibm.com>

More information about the Skiboot mailing list