powerpc/pseries/lparcfg: Fix possible overflow are more than 1026

commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream. need set '\0' for 'local_buffer'. SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of rtas_data_buf may truncated in memcpy. if contents are really truncated. the splpar_strlen is more than 1026. the next while loop checking will not find the end of buffer. that will cause memory access violation. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
author: Chen Gang <gang.chen@asianux.com> 2013-04-22 17:12:54 +0000
committer: Ben Hutchings <ben@decadent.org.uk> 2013-10-26 21:06:11 +0100
commit: 8f0ce108f5e1c6a443548746b6f01b450f71a407 (patch)
tree: f9bfa01027a350cc12f8c42308e2478f5760f182
parent: f362f08b46213452508f76bac4b74a4e5f5c4294 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
index 826681dc342a..26af24bbaed4 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -375,6 +375,7 @@ static void parse_system_parameter_string(struct seq_file *m)
 				__pa(rtas_data_buf),
 				RTAS_DATA_BUF_SIZE);
 	memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+	local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
 	spin_unlock(&rtas_data_buf_lock);
 
 	if (call_status != 0) {
author	Chen Gang <gang.chen@asianux.com>	2013-04-22 17:12:54 +0000
committer	Ben Hutchings <ben@decadent.org.uk>	2013-10-26 21:06:11 +0100
commit	8f0ce108f5e1c6a443548746b6f01b450f71a407 (patch)
tree	f9bfa01027a350cc12f8c42308e2478f5760f182
parent	f362f08b46213452508f76bac4b74a4e5f5c4294 (diff)