commit fdb8a42742ac95606668f73481dfb2f760658fdd · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

x86: fix buffer overflow in efi_init()

If the vendor name (from c16) can be longer than 100 bytes (or missing a
terminating null), then the null is written past the end of vendor[].

Found with Parfait, http://research.sun.com/projects/parfait/

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Huang Ying <ying.huang@intel.com>

authored by Roel Kluin and committed by H. Peter Anvin 16 years ago fdb8a427 498cdbfb

+1 -1

1 changed file

expand all

unified split

arch

x86

kernel

efi.c

+1 -1

arch/x86/kernel/efi.c

··· 354 */ 355 c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2); 356 if (c16) { 357 - for (i = 0; i < sizeof(vendor) && *c16; ++i) 358 vendor[i] = *c16++; 359 vendor[i] = '\0'; 360 } else

··· 354 */ 355 c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2); 356 if (c16) { 357 + for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i) 358 vendor[i] = *c16++; 359 vendor[i] = '\0'; 360 } else