From patchwork Wed Apr 24 07:03:52 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Chen Gang X-Patchwork-Id: 239058 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from ozlabs.org (localhost [IPv6:::1]) by ozlabs.org (Postfix) with ESMTP id 807CE2C013F for ; Wed, 24 Apr 2013 17:05:12 +1000 (EST) Received: from intranet.asianux.com (intranet.asianux.com [58.214.24.6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id A9D922C00EF for ; Wed, 24 Apr 2013 17:04:44 +1000 (EST) Received: by intranet.asianux.com (Postfix, from userid 103) id B5C77184029C; Wed, 24 Apr 2013 15:04:37 +0800 (CST) X-Spam-Score: -100.8 X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on intranet.asianux.com X-Spam-Level: X-Spam-Status: No, score=-100.8 required=5.0 tests=AWL,BAYES_00, RATWARE_GECKO_BUILD,USER_IN_WHITELIST autolearn=no version=3.1.9 Received: from [10.1.0.143] (unknown [219.143.36.82]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by intranet.asianux.com (Postfix) with ESMTP id 4AA941840242; Wed, 24 Apr 2013 15:04:37 +0800 (CST) Message-ID: <517783D8.6010701@asianux.com> Date: Wed, 24 Apr 2013 15:03:52 +0800 From: Chen Gang User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 MIME-Version: 1.0 To: Vasant Hegde Subject: Re: [PATCH] PowerPC: kernel: memory access violation when rtas_data_buf contents are more than 1026 References: <516F7A7D.60206@asianux.com> <1366677081.2886.7.camel@pasglop> <5175E85F.1040509@asianux.com> <5175FC36.4060308@asianux.com> <51777B74.8040204@linux.vnet.ibm.com> In-Reply-To: <51777B74.8040204@linux.vnet.ibm.com> Cc: "sfr@canb.auug.org.au" , "linux-kernel@vger.kernel.org" , "paulus@samba.org" , Al Viro , "linuxppc-dev@lists.ozlabs.org" X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" On 2013年04月24日 14:28, Vasant Hegde wrote: > On 04/23/2013 08:42 AM, Chen Gang wrote: >> >> need set '\0' for 'local_buffer'. >> >> SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of >> rtas_data_buf may truncated in memcpy. >> >> if contents are really truncated. >> the splpar_strlen is more than 1026. the next while loop checking will >> not find the end of buffer. that will cause memory access violation. >> > > Per parameter length in ibm,get-system-parameter RTAS call is limited to > 1026 bytes (1024 bytes of data + 2 bytes length). And 'rtas_data_buf' > was set to 0 (first 1026 bytes) before call RTAS call. At the worst if > we get junk in RTAS output length field helps to exit from the while > loop. So I don't think we need this patch. Is get-system-parameter return the NUL terminated string ? if so, it will no issue (just like your discription). If it will not return NUL terminated string, please see line 326: "while ((*local_buffer) && (idx < splpar_strlen))" (when idx == 1024, *local_buffer is memory access violation). Since we use the first 2 bytes as length, and also be sure of the real length will never more than 1024, I suggest to: ---------------------------patch begin-------------------------------- ---------------------------patch end---------------------------------- Thanks. diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c index 801a757..f8bd7cf 100644 --- a/arch/powerpc/kernel/lparcfg.c +++ b/arch/powerpc/kernel/lparcfg.c @@ -323,7 +323,7 @@ static void parse_system_parameter_string(struct seq_file *m) w_idx = 0; idx = 0; - while ((*local_buffer) && (idx < splpar_strlen)) { + while (idx < splpar_strlen) { workbuffer[w_idx++] = local_buffer[idx++]; if ((local_buffer[idx] == ',') || (local_buffer[idx] == '\0')) {