x86: fix buffer overflow in efi_init()
authorRoel Kluin <roel.kluin@gmail.com>
Thu, 6 Aug 2009 22:58:13 +0000 (15:58 -0700)
committerH. Peter Anvin <hpa@zytor.com>
Sun, 9 Aug 2009 08:08:42 +0000 (01:08 -0700)
If the vendor name (from c16) can be longer than 100 bytes (or missing a
terminating null), then the null is written past the end of vendor[].

Found with Parfait, http://research.sun.com/projects/parfait/

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Huang Ying <ying.huang@intel.com>
arch/x86/kernel/efi.c

index 19ccf6d0dccf51ea5e90ce16f229d530b057a0d5..fe26ba3e3451872c083c10b6ccf62651fcd762a0 100644 (file)
@@ -354,7 +354,7 @@ void __init efi_init(void)
         */
        c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
        if (c16) {
-               for (i = 0; i < sizeof(vendor) && *c16; ++i)
+               for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
                        vendor[i] = *c16++;
                vendor[i] = '\0';
        } else