From f118e9abddfae94d7ef88858159d7556e1c2f7f6 Mon Sep 17 00:00:00 2001 From: Chen Gang Date: Sat, 22 Jun 2013 13:26:09 +0800 Subject: arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller --- arch/sparc/kernel/ds.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'arch/sparc/kernel/ds.c') diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c index 5ef48dab5636..11d460f6f9cc 100644 --- a/arch/sparc/kernel/ds.c +++ b/arch/sparc/kernel/ds.c @@ -783,6 +783,16 @@ void ldom_set_var(const char *var, const char *value) char *base, *p; int msg_len, loops; + if (strlen(var) + strlen(value) + 2 > + sizeof(pkt) - sizeof(pkt.header)) { + printk(KERN_ERR PFX + "contents length: %zu, which more than max: %lu," + "so could not set (%s) variable to (%s).\n", + strlen(var) + strlen(value) + 2, + sizeof(pkt) - sizeof(pkt.header), var, value); + return; + } + memset(&pkt, 0, sizeof(pkt)); pkt.header.data.tag.type = DS_DATA; pkt.header.data.handle = cp->handle; -- cgit v1.2.3 From 2066aadd53c563445039d6490b685783816270ec Mon Sep 17 00:00:00 2001 From: Paul Gortmaker Date: Mon, 17 Jun 2013 15:43:14 -0400 Subject: sparc: delete __cpuinit/__CPUINIT usage from all users The __cpuinit type of throwaway sections might have made sense some time ago when RAM was more constrained, but now the savings do not offset the cost and complications. For example, the fix in commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time") is a good example of the nasty type of bugs that can be created with improper use of the various __init prefixes. After a discussion on LKML[1] it was decided that cpuinit should go the way of devinit and be phased out. Once all the users are gone, we can then finally remove the macros themselves from linux/init.h. Note that some harmless section mismatch warnings may result, since notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c) are flagged as __cpuinit -- so if we remove the __cpuinit from arch specific callers, we will also get section mismatch warnings. As an intermediate step, we intend to turn the linux/init.h cpuinit content into no-ops as early as possible, since that will get rid of these warnings. In any case, they are temporary and harmless. This removes all the arch/sparc uses of the __cpuinit macros from C files and removes __CPUINIT from assembly files. Note that even though arch/sparc/kernel/trampoline_64.S has instances of ".previous" in it, they are all paired off against explicit ".section" directives, and not implicitly paired with __CPUINIT (unlike mips and arm were). [1] https://lkml.org/lkml/2013/5/20/589 Cc: "David S. Miller" Cc: sparclinux@vger.kernel.org Signed-off-by: Paul Gortmaker --- arch/sparc/kernel/ds.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'arch/sparc/kernel/ds.c') diff --git a/arch/sparc/kernel/ds.c b/arch/sparc/kernel/ds.c index 11d460f6f9cc..62d6b153ffa2 100644 --- a/arch/sparc/kernel/ds.c +++ b/arch/sparc/kernel/ds.c @@ -528,10 +528,8 @@ static void dr_cpu_mark(struct ds_data *resp, int cpu, int ncpus, } } -static int __cpuinit dr_cpu_configure(struct ds_info *dp, - struct ds_cap_state *cp, - u64 req_num, - cpumask_t *mask) +static int dr_cpu_configure(struct ds_info *dp, struct ds_cap_state *cp, + u64 req_num, cpumask_t *mask) { struct ds_data *resp; int resp_len, ncpus, cpu; @@ -627,9 +625,8 @@ static int dr_cpu_unconfigure(struct ds_info *dp, return 0; } -static void __cpuinit dr_cpu_data(struct ds_info *dp, - struct ds_cap_state *cp, - void *buf, int len) +static void dr_cpu_data(struct ds_info *dp, struct ds_cap_state *cp, void *buf, + int len) { struct ds_data *data = buf; struct dr_cpu_tag *tag = (struct dr_cpu_tag *) (data + 1); -- cgit v1.2.3