• Vasant Hegde's avatar
    powerpc/rtas_flash: Fix validate_flash buffer overflow issue · a94a1472
    Vasant Hegde authored
    ibm,validate-flash-image RTAS call output buffer contains 150 - 200
    bytes of data on latest system. Presently we have output
    buffer size as 64 bytes and we use sprintf to copy data from
    RTAS buffer to local buffer. This causes kernel oops (see below
    call trace).
    
    This patch increases local buffer size to 256 and also uses
    snprintf instead of sprintf to copy data from RTAS buffer.
    
    Kernel call trace :
    -------------------
    Oops: Kernel access of bad area, sig: 11 [#1]
    SMP NR_CPUS=1024 NUMA pSeries
    Modules linked in: nfs fscache lockd auth_rpcgss nfs_acl sunrpc fuse loop dm_mod ipv6 ipv6_lib usb_storage ehea(X) sr_mod qlge ses cdrom enclosure st be2net sg ext3 jbd mbcache usbhid hid ohci_hcd ehci_hcd usbcore qla2xxx usb_common sd_mod crc_t10dif scsi_dh_hp_sw scsi_dh_rdac scsi_dh_alua scsi_dh_emc scsi_dh lpfc scsi_transport_fc scsi_tgt ipr(X) libata scsi_mod
    Supported: Yes
    NIP: 4520323031333130 LR: 4520323031333130 CTR: 0000000000000000
    REGS: c0000001b91779b0 TRAP: 0400   Tainted: G            X  (3.0.13-0.27-ppc64)
    MSR: 8000000040009032 <EE,ME,IR,DR>  CR: 44022488  XER: 20000018
    TASK = c0000001bca1aba0[4736] 'cat' THREAD: c0000001b9174000 CPU: 36
    GPR00: 4520323031333130 c0000001b9177c30 c000000000f87c98 000000000000009b
    GPR04: c0000001b9177c4a 000000000000000b 3520323031333130 2032303133313031
    GPR08: 3133313031350a4d 000000000000009b 0000000000000000 c0000000003664a4
    GPR12: 0000000022022448 c000000003ee6c00 0000000000000002 00000000100e8a90
    GPR16: 00000000100cb9d8 0000000010093370 000000001001d310 0000000000000000
    GPR20: 0000000000008000 00000000100fae60 000000000000005e 0000000000000000
    GPR24: 0000000010129350 46573738302e3030 2046573738302e30 300a4d4720323031
    GPR28: 333130313520554e 4b4e4f574e0a4d47 2032303133313031 3520323031333130
    NIP [4520323031333130] 0x4520323031333130
    LR [4520323031333130] 0x4520323031333130
    Call Trace:
    [c0000001b9177c30] [4520323031333130] 0x4520323031333130 (unreliable)
    Instruction dump:
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    Signed-off-by: default avatarVasant Hegde <hegdevasant@linux.vnet.ibm.com>
    Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
    a94a1472
rtas_flash.c 21.3 KB