ppc_rtas_find_all_sensors() derives the number of RTAS sensors from the firmware property length and then copies that many entries into the fixed sensors.sensor[MAX_SENSORS] array. A longer-than-expected property can therefore overrun the static sensor table.
Reject rtas-sensors properties that would exceed the fixed sensor table. Signed-off-by: Pengpeng Hou <[email protected]> --- arch/powerpc/kernel/rtas-proc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas-proc.c b/arch/powerpc/kernel/rtas-proc.c index f38df72e64b8..97a7d76ecf77 100644 --- a/arch/powerpc/kernel/rtas-proc.c +++ b/arch/powerpc/kernel/rtas-proc.c @@ -437,6 +437,10 @@ static int ppc_rtas_find_all_sensors(void) } sensors.quant = len / 8; /* int + int */ + if (sensors.quant > ARRAY_SIZE(sensors.sensor)) { + pr_err("too many sensors reported: %u\n", sensors.quant); + return 1; + } for (i=0; i<sensors.quant; i++) { sensors.sensor[i].token = *utmp++; -- 2.50.1 (Apple Git-155)
