Commit-ID: fdb8a42742ac95606668f73481dfb2f760658fdd
Gitweb: http://git.kernel.org/tip/fdb8a42742ac95606668f73481dfb2f760658fdd
Author: Roel Kluin <roel.kluin@xxxxxxxxx>
AuthorDate: Thu, 6 Aug 2009 15:58:13 -0700
Committer: H. Peter Anvin <hpa@xxxxxxxxx>
CommitDate: Sun, 9 Aug 2009 01:08:42 -0700
x86: fix buffer overflow in efi_init()
If the vendor name (from c16) can be longer than 100 bytes (or missing a
terminating null), then the null is written past the end of vendor[].
Found with Parfait, http://research.sun.com/projects/parfait/
Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: H. Peter Anvin <hpa@xxxxxxxxx>
Cc: Huang Ying <ying.huang@xxxxxxxxx>
---
arch/x86/kernel/efi.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/arch/x86/kernel/efi.c b/arch/x86/kernel/efi.c
index 19ccf6d..fe26ba3 100644
--- a/arch/x86/kernel/efi.c
+++ b/arch/x86/kernel/efi.c
@@ -354,7 +354,7 @@ void __init efi_init(void)
*/
c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
if (c16) {
- for (i = 0; i < sizeof(vendor) && *c16; ++i)
+ for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
vendor[i] = *c16++;
vendor[i] = '\0';
} else
--
To unsubscribe from this list: send the line "unsubscribe linux-tip-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
|