get_validate_flash_msg() appends args_buf->buf to the userspace-visible status message with a plain %s conversion. The firmware validation path copies a full 4096-byte buffer through args_buf->buf, so the status message builder can walk past the end of that fixed buffer looking for a terminator.
Limit the appended message to the validated buffer size. Signed-off-by: Pengpeng Hou <[email protected]> --- arch/powerpc/kernel/rtas_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/rtas_flash.c b/arch/powerpc/kernel/rtas_flash.c index 583dc16e9d3c..5b3c6f3a11cd 100644 --- a/arch/powerpc/kernel/rtas_flash.c +++ b/arch/powerpc/kernel/rtas_flash.c @@ -455,8 +455,10 @@ static int get_validate_flash_msg(struct rtas_validate_flash_t *args_buf, n = sprintf(msg, "%d\n", args_buf->update_results); if ((args_buf->update_results >= VALIDATE_CUR_UNKNOWN) || (args_buf->update_results == VALIDATE_TMP_UPDATE)) - n += snprintf(msg + n, msglen - n, "%s\n", - args_buf->buf); + n += snprintf(msg + n, msglen - n, "%.*s\n", + (int)strnlen(args_buf->buf, + args_buf->buf_size), + args_buf->buf); } else { n = sprintf(msg, "%d\n", args_buf->status); } -- 2.50.1 (Apple Git-155)
