[PATCH] x86: Buffer overflow

From: Roel Kluin
Date: Tue Jul 28 2009 - 13:43:31 EST

Next message: Robert Richter: "[GIT PULL] OProfile updates for tip"
Previous message: Andreas Mohr: "ok, now would this be useful? (Re: Dynamic configure max_cstate)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If the vendor name (from c16) can be longer than 100 bytes (or missing a
terminating null), then the null is writen past the end of vendor[].

Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx>
---
Found with Parfait, http://research.sun.com/projects/parfait/

diff --git a/arch/x86/kernel/efi.c b/arch/x86/kernel/efi.c
index 96f7ac0..436a42f 100644
--- a/arch/x86/kernel/efi.c
+++ b/arch/x86/kernel/efi.c
@@ -354,7 +354,7 @@ void __init efi_init(void)
*/
c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
if (c16) {
- for (i = 0; i < sizeof(vendor) && *c16; ++i)
+ for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
vendor[i] = *c16++;
vendor[i] = '\0';
} else
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robert Richter: "[GIT PULL] OProfile updates for tip"
Previous message: Andreas Mohr: "ok, now would this be useful? (Re: Dynamic configure max_cstate)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]