Re: [PATCH] x86/geode/alix: bound the BIOS name copy to the scanned window
From: Borislav Petkov
Date: Wed Jun 03 2026 - 01:22:09 EST
On Thu, Apr 02, 2026 at 09:42:26PM +0800, Pengpeng Hou wrote:
> alix_present() scans the BIOS window one byte at a time looking for
> either "PC Engines ALIX." or "PC Engines\0ALIX.". The scan
> limit only ensures that the signature and the trailing board digit fit
> in the remaining BIOS mapping, but after a match the code copies 64
> bytes from the current pointer into a fixed local name buffer.
>
> If the signature is found near the end of the mapped BIOS region,
> memcpy(name, p, sizeof(name)) reads past the end of the scan window. The
> copied bytes are then searched with strchr(), so the local buffer should
> also be NUL-terminated explicitly.
>
> Copy only the bytes that remain in the mapped BIOS region and terminate
> the local buffer before using string helpers.
>
> Fixes: d4f3e350172a ("x86: geode: New PCEngines Alix system driver")
This patch is from 2011.
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> arch/x86/platform/geode/alix.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/platform/geode/alix.c b/arch/x86/platform/geode/alix.c
> index be65cd704e21..e01a607fa3b5 100644
> --- a/arch/x86/platform/geode/alix.c
> +++ b/arch/x86/platform/geode/alix.c
> @@ -72,11 +72,20 @@ static bool __init alix_present(unsigned long bios_phys,
> for (p = bios_virt; p < scan_end; p++) {
> const char *tail;
> char *a;
> + size_t copy_len;
>
> if (memcmp(p, alix_sig, alix_sig_len) != 0)
> continue;
>
> - memcpy(name, p, sizeof(name));
> + /*
> + * The scan window only proves that the signature and the
> + * trailing board digit fit in the mapped BIOS region.
> + */
> + copy_len = min_t(size_t, sizeof(name) - 1,
> + bios_virt + bios_len - p);
> +
> + memcpy(name, p, copy_len);
> + name[copy_len] = '\0';
>
> /* remove the first \0 character from string */
> a = strchr(name, '\0');
> --
> 2.50.1 (Apple Git-155)
Are you saying you have this Geode thing? And this patch is fixing *something*
on it?
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette