| Message ID | 1442345660-15603-1-git-send-email-thuth@redhat.com |
|---|---|
| State | New |
| Headers | show |
On Tue, Sep 15, 2015 at 09:34:20PM +0200, Thomas Huth wrote: > The buffer that is allocated in spapr_populate_drconf_memory() > is used for setting both, the "ibm,dynamic-memory" and the > "ibm,associativity-lookup-arrays" property. However, only the > size of the first one is taken into account when allocating the > memory. So if the length of the second property is larger than > the length of the first one, we run into a buffer overflow here! > Fix it by taking the length of the second property into account, > too. > > Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch > Signed-off-by: Thomas Huth <thuth@redhat.com> Merged to spapr-next, thanks.
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index f22db12..e4177fb 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -725,9 +725,12 @@ static int spapr_populate_drconf_memory(sPAPRMachineState *spapr, void *fdt) uint32_t *int_buf, *cur_index, buf_len; int nr_nodes = nb_numa_nodes ? nb_numa_nodes : 1; - /* Allocate enough buffer size to fit in ibm,dynamic-memory */ - buf_len = nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE * sizeof(uint32_t) + - sizeof(uint32_t); + /* + * Allocate enough buffer size to fit in ibm,dynamic-memory + * or ibm,associativity-lookup-arrays + */ + buf_len = MAX(nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE + 1, nr_nodes * 4 + 2) + * sizeof(uint32_t); cur_index = int_buf = g_malloc0(buf_len); offset = fdt_add_subnode(fdt, 0, "ibm,dynamic-reconfiguration-memory");
The buffer that is allocated in spapr_populate_drconf_memory() is used for setting both, the "ibm,dynamic-memory" and the "ibm,associativity-lookup-arrays" property. However, only the size of the first one is taken into account when allocating the memory. So if the length of the second property is larger than the length of the first one, we run into a buffer overflow here! Fix it by taking the length of the second property into account, too. Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch Signed-off-by: Thomas Huth <thuth@redhat.com> --- Note: This is for the spapr-next branch only, the patch which introduces this problem is not on master yet. hw/ppc/spapr.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)