powerpc/pseries/lparcfg: Fix possible overflow are more than 1026 commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream. need set '\0' for 'local_buffer'. SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of rtas_data_buf may truncated in memcpy. if contents are really truncated. the splpar_strlen is more than 1026. the next while loop checking will not find the end of buffer. that will cause memory access violation. Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Yijing Wang <wangyijing@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 67ecf23838546f0d8d8a433fcdf09104d4a57acb [log] [tgz]
author: Chen Gang <gang.chen@asianux.com> Mon Apr 22 17:12:54 2013 +0000
committer: chrmhoffmann <chrmhoffmann@gmail.com> Sun Apr 05 10:20:29 2020 +0200
tree: 5ca4e0b91e64fae732a495df6dcea378a572c3cf
parent: e3902510417143cd854cc56ed5c814712e0e2299 [diff]
diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
index 7ebbae0..f62fda1 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c

@@ -307,6 +307,7 @@
 				__pa(rtas_data_buf),
 				RTAS_DATA_BUF_SIZE);
 	memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+	local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
 	spin_unlock(&rtas_data_buf_lock);
 
 	if (call_status != 0) {
commit	67ecf23838546f0d8d8a433fcdf09104d4a57acb	[log] [tgz]
author	Chen Gang <gang.chen@asianux.com>	Mon Apr 22 17:12:54 2013 +0000
committer	chrmhoffmann <chrmhoffmann@gmail.com>	Sun Apr 05 10:20:29 2020 +0200
tree	5ca4e0b91e64fae732a495df6dcea378a572c3cf
parent	e3902510417143cd854cc56ed5c814712e0e2299 [diff]