Patch "PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun" has been added to the 5.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-sysfs-fix-dsm_label_utf16s_to_utf8s-buffer-overr.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2d12acd59a55ebd6e30e4ee8eec0d08a57af6a05
Author: Krzysztof WilczyÅ?ski <kw@xxxxxxxxx>
Date:   Thu Jun 3 00:01:12 2021 +0000

    PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun
    
    [ Upstream commit bdcdaa13ad96f1a530711c29e6d4b8311eff767c ]
    
    "utf16s_to_utf8s(..., buf, PAGE_SIZE)" puts up to PAGE_SIZE bytes into
    "buf" and returns the number of bytes it actually put there.  If it wrote
    PAGE_SIZE bytes, the newline added by dsm_label_utf16s_to_utf8s() would
    overrun "buf".
    
    Reduce the size available for utf16s_to_utf8s() to use so there is always
    space for the newline.
    
    [bhelgaas: reorder patch in series, commit log]
    Fixes: 6058989bad05 ("PCI: Export ACPI _DSM provided firmware instance number and string name to sysfs")
    Link: https://lore.kernel.org/r/20210603000112.703037-7-kw@xxxxxxxxx
    Reported-by: Joe Perches <joe@xxxxxxxxxxx>
    Signed-off-by: Krzysztof WilczyÅ?ski <kw@xxxxxxxxx>
    Signed-off-by: Bjorn Helgaas <bhelgaas@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/pci/pci-label.c b/drivers/pci/pci-label.c
index a5910f942857..9fb4ef568f40 100644
--- a/drivers/pci/pci-label.c
+++ b/drivers/pci/pci-label.c
@@ -162,7 +162,7 @@ static void dsm_label_utf16s_to_utf8s(union acpi_object *obj, char *buf)
 	len = utf16s_to_utf8s((const wchar_t *)obj->buffer.pointer,
 			      obj->buffer.length,
 			      UTF16_LITTLE_ENDIAN,
-			      buf, PAGE_SIZE);
+			      buf, PAGE_SIZE - 1);
 	buf[len] = '\n';
 }
 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux