[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180427163707.ktaiysvbk3yhk4wm@agluck-desk>
Date: Fri, 27 Apr 2018 09:37:08 -0700
From: "Luck, Tony" <tony.luck@...el.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Borislav Petkov <bp@...en8.de>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
the arch/x86 maintainers <x86@...nel.org>,
linux-edac@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: [PATCH] x86, mce: Fix stack out-of-bounds write in
mce-inject.c:flags_read()
Each of the strings that we want to put into the buf[MAX_FLAG_OPT_SIZE]
in flags_read() is two characters. But the sprintf() adds a trailing newline
and will add a terminating NUL byte. So MAX_FLAG_OPT_SIZE needs to be 4.
Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
Cc: <stable@...r.kernel.org>
Signed-off-by: Tony Luck <tony.luck@...el.com>
---
diff --git a/arch/x86/kernel/cpu/mcheck/mce-inject.c b/arch/x86/kernel/cpu/mcheck/mce-inject.c
index 475cb4f5f14f..c805a06e14c3 100644
--- a/arch/x86/kernel/cpu/mcheck/mce-inject.c
+++ b/arch/x86/kernel/cpu/mcheck/mce-inject.c
@@ -48,7 +48,7 @@ static struct dentry *dfs_inj;
static u8 n_banks;
-#define MAX_FLAG_OPT_SIZE 3
+#define MAX_FLAG_OPT_SIZE 4
#define NBCFG 0x44
enum injection_type {
Powered by blists - more mailing lists