From nobody Sun Jun 14 11:29:43 2026 Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0122735958 for ; Thu, 2 Apr 2026 14:07:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.81 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775138870; cv=none; b=dPvPtL/gw4ANfDH6e3oL7f3E3ayuYwBy9Xzjua37BtWEGpztI6VOMSkou2NFuVXI5nulu8+ijF1tYuHuEBAzHLW/kwSuiSRtt3wZidZDDT4+v1eIRf1SaesYzaKkZjau9KdL4FxyYmDFW9S8dEd+KZ7Y7DnESBwWZwbZecgiRqY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775138870; c=relaxed/simple; bh=eImup6vL4Dw/s5M1rNv579n1HEmVKFLbaw1Ah2MPKHI=; h=From:Date:Subject:To:Cc:Message-ID; b=YvrBwgRUsQzPTEjbD0Q5qvLDngRByo+mrkKnjM1foU0fBWMMqsbcd+q0eUjVfXUst00pHNQOA8gYyer0JsXtpo0eNq7FZcnKfeQG3OYA/a9huhQ2L3DrOEfZdrI0PLfnQmUguWmhP6SUdKDDu0bSi/2YlknxiNyW3G6mdVIWxVE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from hppdeMacBook-Pro.local (unknown [111.196.245.197]) by APP-03 (Coremail) with SMTP id rQCowADX+eAfeM5p4C+rDA--.22193S2; Thu, 02 Apr 2026 22:07:32 +0800 (CST) From: Pengpeng Hou Date: Thu, 2 Apr 2026 21:42:26 +0800 Subject: [PATCH] x86/geode/alix: bound the BIOS name copy to the scanned window To: x86@kernel.org Cc: tglx@kernel.org, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, akpm@linux-foundation.org, git@wildgooses.com, grant.likely@secretlab.ca, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn Message-ID: <177513885220.95485.13271759640514362691@iscas.ac.cn> X-CM-TRANSID: rQCowADX+eAfeM5p4C+rDA--.22193S2 X-Coremail-Antispam: 1UD129KBjvJXoW7Kw18Jw43Wr48AryrCw1ftFb_yoW8AFW3pF WfKwn3Kr98Jr1ayw1fZ3W8ZFZxZrs3GrWDG3WDA395Awn8Xr1UXw40ka4Yg34DXw4fWa1r CFWrKryru3WYvaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvK14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26r4j6ryUM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s 0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xII jxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVW8JVWxJwAm72CE4IkC6x0Yz7v_Jr0_Gr 1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxan2IY 04v7MxkF7I0En4kS14v26r1q6r43MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r 1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CE b7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0x vE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAI cVC2z280aVAFwI0_Gr0_Cr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxh VjvjDU0xZFpf9x0JUqeHgUUUUU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" alix_present() scans the BIOS window one byte at a time looking for either "PC Engines ALIX." or "PC Engines\0ALIX.". The scan limit only ensures that the signature and the trailing board digit fit in the remaining BIOS mapping, but after a match the code copies 64 bytes from the current pointer into a fixed local name buffer. If the signature is found near the end of the mapped BIOS region, memcpy(name, p, sizeof(name)) reads past the end of the scan window. The copied bytes are then searched with strchr(), so the local buffer should also be NUL-terminated explicitly. Copy only the bytes that remain in the mapped BIOS region and terminate the local buffer before using string helpers. Fixes: d4f3e350172a ("x86: geode: New PCEngines Alix system driver") Cc: stable@vger.kernel.org Signed-off-by: Pengpeng Hou --- arch/x86/platform/geode/alix.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/platform/geode/alix.c b/arch/x86/platform/geode/alix.c index be65cd704e21..e01a607fa3b5 100644 --- a/arch/x86/platform/geode/alix.c +++ b/arch/x86/platform/geode/alix.c @@ -72,11 +72,20 @@ static bool __init alix_present(unsigned long bios_phys, for (p =3D bios_virt; p < scan_end; p++) { const char *tail; char *a; + size_t copy_len; =20 if (memcmp(p, alix_sig, alix_sig_len) !=3D 0) continue; =20 - memcpy(name, p, sizeof(name)); + /* + * The scan window only proves that the signature and the + * trailing board digit fit in the mapped BIOS region. + */ + copy_len =3D min_t(size_t, sizeof(name) - 1, + bios_virt + bios_len - p); + + memcpy(name, p, copy_len); + name[copy_len] =3D '\0'; =20 /* remove the first \0 character from string */ a =3D strchr(name, '\0'); --=20 2.50.1 (Apple Git-155)