Patch "sparc64: Fix buggy strlcpy() conversion in ldom_reboot()." has been added to the 3.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    sparc64: Fix buggy strlcpy() conversion in ldom_reboot().

to the 3.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sparc64-fix-buggy-strlcpy-conversion-in-ldom_reboot.patch
and it can be found in the queue-3.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 2df267384cc05ac3f08f5bb3e4800b240ce773d7 Mon Sep 17 00:00:00 2001
From: "David S. Miller" <davem@xxxxxxxxxxxxx>
Date: Fri, 27 Sep 2013 13:46:04 -0700
Subject: sparc64: Fix buggy strlcpy() conversion in ldom_reboot().

From: "David S. Miller" <davem@xxxxxxxxxxxxx>

[ Upstream commit 2bd161a605f1f84a5fc8a4fe8410113a94f79355 ]

Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using
strlcpy() instead of strcpy()") added a bug to ldom_reboot in
arch/sparc/kernel/ds.c

-		strcpy(full_boot_str + strlen("boot "), boot_command);
+				     strlcpy(full_boot_str + strlen("boot "), boot_command,
+				     			     sizeof(full_boot_str + strlen("boot ")));

That last sizeof() expression evaluates to sizeof(size_t) which is
not what was intended.

Also even the corrected:

     sizeof(full_boot_str) + strlen("boot ")

is not right as the destination buffer length is just plain
"sizeof(full_boot_str)" and that's what the final argument
should be.

Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 arch/sparc/kernel/ds.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/sparc/kernel/ds.c
+++ b/arch/sparc/kernel/ds.c
@@ -844,7 +844,7 @@ void ldom_reboot(const char *boot_comman
 
 		strcpy(full_boot_str, "boot ");
 		strlcpy(full_boot_str + strlen("boot "), boot_command,
-			sizeof(full_boot_str + strlen("boot ")));
+			sizeof(full_boot_str));
 		len = strlen(full_boot_str);
 
 		if (reboot_data_supported) {


Patches currently in stable-queue which might be from davem@xxxxxxxxxxxxx are

queue-3.10/tuntap-correctly-handle-error-in-tun_set_iff.patch
queue-3.10/net_sched-htb-fix-a-typo-in-htb_change_class.patch
queue-3.10/ip_tunnel-fix-a-memory-corruption-in-ip_tunnel_xmit.patch
queue-3.10/sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch
queue-3.10/resubmit-bridge-fix-message_age_timer-calculation.patch
queue-3.10/sparc64-fix-itlb-handler-of-null-page.patch
queue-3.10/ipv6-gre-correct-calculation-of-max_headroom.patch
queue-3.10/ll_temac-reset-dma-descriptors-indexes-on-ndo_open.patch
queue-3.10/tcp-add-missing-braces-to-do_tcp_setsockopt.patch
queue-3.10/ip-generate-unique-ip-identificator-if-local-fragmentation-is-allowed.patch
queue-3.10/ipv6-mcast-use-in6_dev_put-in-timer-handlers-instead-of-__in6_dev_put.patch
queue-3.10/mm-fix-generic-hugetlb-pte-check-return-type.patch
queue-3.10/net-sctp-rfc4443-do-not-report-icmp-redirects-to-user-space.patch
queue-3.10/ip-use-ip_hdr-in-__ip_make_skb-to-retrieve-ip-header.patch
queue-3.10/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
queue-3.10/r8169-enforce-rx_multi_en-for-the-8168f.patch
queue-3.10/ipv6-nat-do-not-drop-dnated-6to4-6rd-packets.patch
queue-3.10/bonding-fix-broken-promiscuity-reference-counting-issue.patch
queue-3.10/net-fix-multiqueue-selection.patch
queue-3.10/sparc-fix-ldom_reboot-buffer-overflow-harder.patch
queue-3.10/dm9601-fix-iff_allmulti-handling.patch
queue-3.10/xen-netback-count-number-required-slots-for-an-skb-more-carefully.patch
queue-3.10/net-sctp-fix-bug-in-sctp_poll-for-sock_select_err_queue.patch
queue-3.10/sparc64-fix-off-by-one-in-trampoline-tlb-mapping-installation-loop.patch
queue-3.10/net-fib-fib6_add-fix-potential-null-pointer-dereference.patch
queue-3.10/ipv6-exthdrs-accept-tlv-which-includes-only-padding.patch
queue-3.10/net-dccp-do-not-report-icmp-redirects-to-user-space.patch
queue-3.10/caif-add-missing-braces-to-multiline-if-in-cfctrl_linkup_request.patch
queue-3.10/bridge-clamp-forward_delay-when-enabling-stp.patch
queue-3.10/sparc64-fix-buggy-strlcpy-conversion-in-ldom_reboot.patch
queue-3.10/sit-allow-to-use-rtnl-ops-on-fb-tunnel.patch
queue-3.10/ipv6-udp-packets-following-an-ufo-enqueued-packet-need-also-be-handled-by-ufo.patch
queue-3.10/esp_scsi-fix-tag-state-corruption-when-autosensing.patch
queue-3.10/sparc64-remove-rwsem-export-leftovers.patch
queue-3.10/bridge-use-br_port_get_rtnl-within-rtnl-lock.patch
queue-3.10/bridge-fix-null-pointer-deref-of-br_port_get_rcu.patch
queue-3.10/sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch
queue-3.10/ipv4-igmp-use-in_dev_put-in-timer-handlers-instead-of-__in_dev_put.patch
queue-3.10/netpoll-fix-null-pointer-dereference-in-netpoll_cleanup.patch
queue-3.10/net-flow_dissector-fix-thoff-for-ipproto_ah.patch
queue-3.10/net-net_secret-should-not-depend-on-tcp.patch
queue-3.10/netpoll-should-handle-eth_p_arp-other-than-eth_p_ip-in-netpoll_neigh_reply.patch
queue-3.10/net-sctp-fix-smatch-warning-in-sctp_send_asconf_del_ip.patch
queue-3.10/via-rhine-fix-vlan-priority-field-pcp-ieee-802.1p.patch
queue-3.10/ip6_tunnels-raddr-and-laddr-are-inverted-in-nl-msg.patch
queue-3.10/ip6tnl-allow-to-use-rtnl-ops-on-fb-tunnel.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]