lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

x86: fix buffer overflow in efi_init()

Browse Source 
If the vendor name (from c16) can be longer than 100 bytes (or missing a
terminating null), then the null is written past the end of vendor[].

Found with Parfait, http://research.sun.com/projects/parfait/

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Huang Ying <ying.huang@intel.com>
This commit is contained in:
Roel Kluin
2009-08-06 15:58:13 -07:00
committed by H. Peter Anvin
parent 498cdbfbcf
commit fdb8a42742
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
arch/x86/kernel/efi.c
View File

@@ -354,7 +354,7 @@ void __init efi_init(void)
*/ */
c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2); c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
if (c16) { if (c16) {
for (i = 0; i < sizeof(vendor) && *c16; ++i) for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
vendor[i] = *c16++; vendor[i] = *c16++;
vendor[i] = '\0'; vendor[i] = '\0';
} else } else