Re: [PATCH] PowerPC: kernel: memory access violation when rtas_data_bufcontents are more than 1026

From: Vasant Hegde
Date: Wed Apr 24 2013 - 02:28:52 EST


On 04/23/2013 08:42 AM, Chen Gang wrote:

need set '\0' for 'local_buffer'.

SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of
rtas_data_buf may truncated in memcpy.

if contents are really truncated.
the splpar_strlen is more than 1026. the next while loop checking will
not find the end of buffer. that will cause memory access violation.


Per parameter length in ibm,get-system-parameter RTAS call is limited to 1026 bytes (1024 bytes of data + 2 bytes length). And 'rtas_data_buf' was set to 0 (first 1026 bytes) before call RTAS call. At the worst if we get junk in RTAS output length field helps to exit from the while loop. So I don't think we need this patch.

-Vasant


Signed-off-by: Chen Gang<gang.chen@xxxxxxxxxxx>
---
arch/powerpc/kernel/lparcfg.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
index 801a757..d92f387 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -299,6 +299,7 @@ static void parse_system_parameter_string(struct seq_file *m)
__pa(rtas_data_buf),
RTAS_DATA_BUF_SIZE);
memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
spin_unlock(&rtas_data_buf_lock);

if (call_status != 0) {

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/