[PATCH] x86/geode/alix: bound the BIOS name copy to the scanned window
From: Pengpeng Hou
Date: Thu Apr 02 2026 - 10:20:32 EST
alix_present() scans the BIOS window one byte at a time looking for
either "PC Engines ALIX." or "PC Engines\0ALIX.". The scan
limit only ensures that the signature and the trailing board digit fit
in the remaining BIOS mapping, but after a match the code copies 64
bytes from the current pointer into a fixed local name buffer.
If the signature is found near the end of the mapped BIOS region,
memcpy(name, p, sizeof(name)) reads past the end of the scan window. The
copied bytes are then searched with strchr(), so the local buffer should
also be NUL-terminated explicitly.
Copy only the bytes that remain in the mapped BIOS region and terminate
the local buffer before using string helpers.
Fixes: d4f3e350172a ("x86: geode: New PCEngines Alix system driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/x86/platform/geode/alix.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/arch/x86/platform/geode/alix.c b/arch/x86/platform/geode/alix.c
index be65cd704e21..e01a607fa3b5 100644
--- a/arch/x86/platform/geode/alix.c
+++ b/arch/x86/platform/geode/alix.c
@@ -72,11 +72,20 @@ static bool __init alix_present(unsigned long bios_phys,
for (p = bios_virt; p < scan_end; p++) {
const char *tail;
char *a;
+ size_t copy_len;
if (memcmp(p, alix_sig, alix_sig_len) != 0)
continue;
- memcpy(name, p, sizeof(name));
+ /*
+ * The scan window only proves that the signature and the
+ * trailing board digit fit in the mapped BIOS region.
+ */
+ copy_len = min_t(size_t, sizeof(name) - 1,
+ bios_virt + bios_len - p);
+
+ memcpy(name, p, copy_len);
+ name[copy_len] = '\0';
/* remove the first \0 character from string */
a = strchr(name, '\0');
--
2.50.1 (Apple Git-155)