diff options
| author | Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com> | 2015-01-15 00:02:06 +0530 |
|---|---|---|
| committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2015-01-19 17:15:22 +1100 |
| commit | d0b91f6c8b4f159fc05eca21fceff1bf98fabd51 (patch) | |
| tree | 531e571e27447085c3b91ae382e42b103dd25f9c /hdata | |
| parent | c0bda1491c39070b9cd9872746339d6f162b7775 (diff) | |
| download | skiboot-skiboot-2.1.1-fw810.20-4.zip skiboot-skiboot-2.1.1-fw810.20-4.tar.gz skiboot-skiboot-2.1.1-fw810.20-4.tar.bz2 | |
opal: Fix buffer overrun in print_* functions.skiboot-2.1.1-fw810.20-4
While running HMI tests I saw a massive corruption in OPAL for one of the
HMI test that injects TB error. On investigation I found that
vsnprintf()->print_itoa() was the culprit. print_itoa function uses tmp
array of size 16 to convert unsigned long value to ASCII. But an unsigned
value of 0xffffffffffffffff needs atleast 25 characters to print its ASCII
representation. This caused an array to overflow resulting into corruption,
unpredictable behavior and finally system termination.
We could fix this by increasing the size of tmp[] array but that still won't
fix this bug completely. While auditing vsnprintf() function I found that
it makes use of print_*() functions to write data to buffer. But none of
the print_* function have any check on buffer size before writing data to it.
Without size check print_*() can easily overrun buffer passed by
vprlog()->vsnprintf()->print_format()->print_*() causing massive corruption
leading to unpredictable behavior.
This patch fixes this bug by modifying print_*() function to check for
buffer size to avoid buffer overrun.
- Modified print_format(), print_fill() and print_itoa() to take bufsize
as argument and added a size check while writing to buffer.
- Remove temporary array from print_itoa(), instead write data directly to
buffer.
- Added two new function print_str_fill() and print_str() to be used as
helper routine for '%s' fmt case in print_format() function. These new
routines now has a check on buffer size while copying NULL terminated
string to buffer.
- Added "!bufsize" check in vsnprintf() to avoid buffer overrun while
setting NULL character before returning.
I ran HMI tests with this patch successfully. I also tested this patch by
reducing size of the buffer (in core/console-log.c:vprlog()) from 320 to 50
and booted the lid successfully with no corruption at all.
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Acked-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'hdata')
0 files changed, 0 insertions, 0 deletions