Message ID | 20210714011608.15043-1-zhuangyi1@huawei.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | powerpc/rtas_flash: fix a potential buffer overflow | expand |
Related | show |
Context | Check | Description |
---|---|---|
snowpatch_ozlabs/github-powerpc_clang | success | Successfully ran 8 jobs. |
snowpatch_ozlabs/github-powerpc_kernel_qemu | fail | kernel (ppc64_defconfig, fedora-34) failed at step build. |
snowpatch_ozlabs/github-powerpc_ppctests | success | Successfully ran 8 jobs. |
snowpatch_ozlabs/github-powerpc_selftests | success | Successfully ran 8 jobs. |
snowpatch_ozlabs/github-powerpc_sparse | fail | sparse (ppc64le, ppc64le, ubuntu-21.04) failed at step Build. |
diff --git a/arch/powerpc/kernel/rtas_flash.c b/arch/powerpc/kernel/rtas_flash.c index a99179d83538..4aa6bad28556 100644 --- a/arch/powerpc/kernel/rtas_flash.c +++ b/arch/powerpc/kernel/rtas_flash.c @@ -473,6 +473,10 @@ static int get_validate_flash_msg(struct rtas_validate_flash_t *args_buf, (args_buf->update_results == VALIDATE_TMP_UPDATE)) n += snprintf(msg + n, msglen - n, "%s\n", args_buf->buf); + if (n >= msglen) { + n = msglen; + printk(KERN_ERR "FLASH: msg too long.\n"); + } } else { n = sprintf(msg, "%d\n", args_buf->status); }
Since snprintf() returns the possible output size instead of the actual output size, the available flash_msg length returned by get_validate_flash_msg may exceed the given buffer limit when simple_read_from_buffer calls copy_to_user Signed-off-by: Yi Zhuang <zhuangyi1@huawei.com> --- arch/powerpc/kernel/rtas_flash.c | 4 ++++ 1 file changed, 4 insertions(+)