Skip to content
Permalink
Browse files
powerpc/rtas_flash: fix a potential buffer overflow
Since snprintf() returns the possible output size instead of the
actual output size, the available flash_msg length returned by
get_validate_flash_msg may exceed the given buffer limit when
simple_read_from_buffer calls copy_to_user

Signed-off-by: Yi Zhuang <zhuangyi1@huawei.com>
  • Loading branch information
Yi Zhuang authored and intel-lab-lkp committed Jul 14, 2021
1 parent 019b3fd commit 546db7a99374dedd110a01801ad4456f56170d4d
Showing 1 changed file with 4 additions and 0 deletions.
@@ -473,6 +473,10 @@ static int get_validate_flash_msg(struct rtas_validate_flash_t *args_buf,
(args_buf->update_results == VALIDATE_TMP_UPDATE))
n += snprintf(msg + n, msglen - n, "%s\n",
args_buf->buf);
if (n >= msglen) {
n = msglen;
printk(KERN_ERR "FLASH: msg too long.\n");
}
} else {
n = sprintf(msg, "%d\n", args_buf->status);
}

0 comments on commit 546db7a

Please sign in to comment.