[PATCH] efi: fix out-of-bounds null overwrite vulnerability

From: Insu Yun
Date: Thu Jan 07 2016 - 14:05:26 EST

Next message: Rich Felker: "Re: [PATCH v2 31/32] sh: support a 2-byte smp_store_mb"
Previous message: Frank Rowand: "[PATCH v2] dtc: create tool to diff device trees"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

snprintf's return value is not bound by size value.
(https://www.kernel.org/doc/htmldocs/kernel-api/API-snprintf.html)
if printed value is larger than buffer size, it can overwrite
null byte in out-of-bounds buffer.

Signed-off-by: Insu Yun <wuninsu@xxxxxxxxx>
---
drivers/firmware/efi/cper.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
index d425374..77aa75f 100644
--- a/drivers/firmware/efi/cper.c
+++ b/drivers/firmware/efi/cper.c
@@ -267,7 +267,6 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg)
"DIMM location: not present. DMI handle: 0x%.4x ",
mem->mem_dev_handle);

- msg[n] = '\0';
return n;
}

--
1.9.1

Next message: Rich Felker: "Re: [PATCH v2 31/32] sh: support a 2-byte smp_store_mb"
Previous message: Frank Rowand: "[PATCH v2] dtc: create tool to diff device trees"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]