The patch titled x86: fix buffer overflow in efi_init() has been added to the -mm tree. Its filename is x86-fix-buffer-overflow-in-efi_init.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find out what to do about this The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: x86: fix buffer overflow in efi_init() From: Roel Kluin <roel.kluin@xxxxxxxxx> If the vendor name (from c16) can be longer than 100 bytes (or missing a terminating null), then the null is written past the end of vendor[]. Found with Parfait, http://research.sun.com/projects/parfait/ Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx> Cc: Ingo Molnar <mingo@xxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- arch/x86/kernel/efi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN arch/x86/kernel/efi.c~x86-fix-buffer-overflow-in-efi_init arch/x86/kernel/efi.c --- a/arch/x86/kernel/efi.c~x86-fix-buffer-overflow-in-efi_init +++ a/arch/x86/kernel/efi.c @@ -354,7 +354,7 @@ void __init efi_init(void) */ c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2); if (c16) { - for (i = 0; i < sizeof(vendor) && *c16; ++i) + for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i) vendor[i] = *c16++; vendor[i] = '\0'; } else _ Patches currently in -mm which might be from roel.kluin@xxxxxxxxx are origin.patch linux-next.patch x86-fix-buffer-overflow-in-efi_init.patch s3c-fix-check-of-index-into-s3c_gpios.patch stmp3xxx-deallocation-with-negative-index-of-descriptors.patch dm-strncpy-does-not-null-terminate-string.patch powerpc-sky-cpu-redundant-or-incorrect-tests-on-unsigned.patch media-strncpy-does-not-null-terminate-string.patch ivtv-read-buffer-overflow.patch siano-read-buffer-overflow.patch drivers-media-video-bw-qcamc-fix-read-buffer-overflow.patch stk-webcam-read-buffer-overflow.patch ipath-strncpy-does-not-null-terminate-string.patch mips-decrease-size-of-au1xxx_dbdma_pm_regs.patch irda-fix-read-buffer-overflow.patch atlx-strncpy-does-not-null-terminate-string.patch ext4-remove-redundant-test-on-unsigned.patch ocfs2-keep-index-within-status_map.patch cyclades-read-buffer-overflow.patch drivers-scsi-fnic-fnic_scsic-clean-up.patch ibmmca-buffer-overflow.patch scsi-eata-fix-buffer-overflow.patch drivers-scsi-gdthc-fix-buffer-overflow.patch drivers-scsi-iprh-fix-buffer-overflow.patch drivers-scsi-u14-34fc-fix-uffer-overflow.patch libertas-fix-read-outside-array-bounds.patch libertas-read-buffer-overflow.patch i915-fix-read-outside-array-bounds.patch frv-duplicate-output_buffer-of-e03.patch frv-duplicate-output_buffer-of-e03-checkpatch-fixes.patch m32r-remove-redundant-tests-on-unsigned.patch m68k-count-can-reach-51-not-50.patch m68k-cnt-reaches-1-not-0.patch dme1737-keep-index-within-pwm_config.patch ncpfs-read-buffer-overflow.patch smbfs-read-buffer-overflow.patch platinumfb-misplaced-parenthesis.patch sisfb-read-buffer-overflow.patch documentation-strncpy-does-not-null-terminate-string.patch adfs-remove-redundant-test-on-unsigned.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html