powerpc/rtas-proc: reject oversized sensor properties

[PATCH] powerpc/rtas-proc: reject oversized sensor properties

Pengpeng Hou posted 1 patch 3 hours ago

Download mbox

arch/powerpc/kernel/rtas-proc.c | 4 ++++
1 file changed, 4 insertions(+)

Expand all Fold all

[PATCH] powerpc/rtas-proc: reject oversized sensor properties

Posted by Pengpeng Hou 3 hours ago

ppc_rtas_find_all_sensors() derives the number of RTAS sensors from the
firmware property length and then copies that many entries into the
fixed sensors.sensor[MAX_SENSORS] array. A longer-than-expected property
can therefore overrun the static sensor table.

Reject rtas-sensors properties that would exceed the fixed sensor table.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/powerpc/kernel/rtas-proc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/powerpc/kernel/rtas-proc.c b/arch/powerpc/kernel/rtas-proc.c
index f38df72e64b8..97a7d76ecf77 100644
--- a/arch/powerpc/kernel/rtas-proc.c
+++ b/arch/powerpc/kernel/rtas-proc.c
@@ -437,6 +437,10 @@ static int ppc_rtas_find_all_sensors(void)
 	}
 
 	sensors.quant = len / 8;      /* int + int */
+	if (sensors.quant > ARRAY_SIZE(sensors.sensor)) {
+		pr_err("too many sensors reported: %u\n", sensors.quant);
+		return 1;
+	}
 
 	for (i=0; i<sensors.quant; i++) {
 		sensors.sensor[i].token = *utmp++;
-- 
2.50.1 (Apple Git-155)