brain-hackers_pepepper-mirror
/
linux-brain
mirror of https://github.com/brain-hackers/linux-brain.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
linux-brain/drivers
History
Tyrel Datwyler 51a2b19b55 PCI: rpadlpar: Fix potential drc_name corruption in store functions 
commit cc7a0bb058b85ea03db87169c60c7cfdd5d34678 upstream.

Both add_slot_store() and remove_slot_store() try to fix up the
drc_name copied from the store buffer by placing a NUL terminator at
nbyte + 1 or in place of a '\n' if present. However, the static buffer
that we copy the drc_name data into is not zeroed and can contain
anything past the n-th byte.

This is problematic if a '\n' byte appears in that buffer after nbytes
and the string copied into the store buffer was not NUL terminated to
start with as the strchr() search for a '\n' byte will mark this
incorrectly as the end of the drc_name string resulting in a drc_name
string that contains garbage data after the n-th byte.

Additionally it will cause us to overwrite that '\n' byte on the stack
with NUL, potentially corrupting data on the stack.

The following debugging shows an example of the drmgr utility writing
"PHB 4543" to the add_slot sysfs attribute, but add_slot_store()
logging a corrupted string value.

  drmgr: drmgr: -c phb -a -s PHB 4543 -d 1
  add_slot_store: drc_name = PHB 4543°|<82>!, rc = -19

Fix this by using strscpy() instead of memcpy() to ensure the string
is NUL terminated when copied into the static drc_name buffer.
Further, since the string is now NUL terminated the code only needs to
change '\n' to '\0' when present.

Cc: stable@vger.kernel.org
Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
[mpe: Reformat change log and add mention of possible stack corruption]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210315214821.452959-1-tyreld@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2021-03-24 11:26:43 +01:00
..
accessibility
acpi ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807 2021-03-11 14:06:50 +01:00
amba amba: Fix resource leak for drivers without .remove 2021-03-04 10:26:32 +01:00
android binder: add flag to clear buffer on txn complete 2020-12-30 11:51:35 +01:00
ata ata: ahci_brcm: Add back regulators management 2021-03-04 10:26:23 +01:00
atm atm: idt77252: call pci_disable_device() on error path 2021-01-12 20:16:11 +01:00
auxdisplay auxdisplay: ht16k33: Fix refresh rate handling 2021-03-04 10:26:30 +01:00
base Revert "PM: runtime: Update device status before letting suppliers suspend" 2021-03-24 11:26:35 +01:00
bcma
block zram: fix return value on writeback_store 2021-03-17 17:03:57 +01:00
bluetooth Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl 2021-03-07 12:20:44 +01:00
bus bus: fsl-mc: fix error return code in fsl_mc_object_allocate() 2020-12-30 11:51:23 +01:00
cdrom
char tpm, tpm_tis: Decorate tpm_get_timeouts() with request_locality() 2021-03-09 11:09:36 +01:00
clk clk: aspeed: Fix APLL calculate formula from ast2600-A2 2021-03-04 10:26:34 +01:00
clocksource clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined 2021-03-04 10:26:29 +01:00
connector
counter counter: stm32-timer-cnt: fix ceiling write max value 2021-03-24 11:26:43 +01:00
cpufreq cpufreq: intel_pstate: Get per-CPU max freq via MSR_HWP_CAPABILITIES if available 2021-03-04 10:26:50 +01:00
cpuidle cpuidle: Fixup IRQ state 2020-09-09 19:12:21 +02:00
crypto crypto: sun4i-ss - initialize need_fallback 2021-03-04 10:26:45 +01:00
dax device-dax/core: Fix memory leak when rmmod dax.ko 2020-12-30 11:51:46 +01:00
dca
devfreq PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out 2020-10-01 13:17:14 +02:00
dio
dma dmaengine: hsu: disable spurious interrupt 2021-03-04 10:26:28 +01:00
dma-buf dmabuf: fix use-after-free of dmabuf's file->f_inode 2021-01-12 20:16:23 +01:00
edac EDAC/amd64: Fix PCI component registration 2020-12-30 11:51:36 +01:00
eisa
extcon extcon: max77693: Fix modalias string 2020-12-30 11:51:24 +01:00
firewire
firmware firmware: imx: select SOC_BUS to fix firmware build 2021-02-03 23:25:59 +01:00
fpga
fsi
gnss
gpio gpio: pcf857x: Fix missing first interrupt 2021-03-04 10:26:49 +01:00
gpu drm/i915/gvt: Fix vfio_edid issue for BXT/APL 2021-03-20 10:39:47 +01:00
greybus
hid HID: logitech-dj: add support for the new lightspeed connection iteration 2021-03-17 17:03:43 +01:00
hsi HSI: Fix PM usage counter unbalance in ssi_hw_init 2021-03-04 10:26:26 +01:00
hv Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() 2021-03-04 10:26:24 +01:00
hwmon hwmon: (pwm-fan) Ensure that calculation doesn't discard big period values 2021-01-19 18:26:15 +01:00
hwspinlock
hwtracing stm class: Fix module init return on allocation failure 2021-01-27 11:47:50 +01:00
i2c i2c: rcar: optimize cacheline to minimize HW race condition 2021-03-17 17:03:41 +01:00
i3c i3c master: fix missing destroy_workqueue() on error in i3c_master_register 2021-01-06 14:48:40 +01:00
ide scsi: ide: Do not set the RQF_PREEMPT flag for sense requests 2021-01-12 20:16:09 +01:00
idle
iio iio: hid-sensor-temperature: Fix issues of timestamp channel 2021-03-24 11:26:43 +01:00
infiniband IB/mlx5: Add missing error code 2021-03-09 11:09:38 +01:00
input Input: applespi - don't wait for responses to commands indefinitely. 2021-03-17 17:03:44 +01:00
interconnect interconnect: qcom: qcs404: Remove GPU and display RPM IDs 2020-12-16 10:56:56 +01:00
iommu iommu/amd: Fix performance counter initialization 2021-03-17 17:03:43 +01:00
ipack
irqchip irqchip/mips-cpu: Set IPI domain parent chip 2021-01-27 11:47:49 +01:00
isdn misdn: dsp: select CONFIG_BITREVERSE 2021-01-19 18:26:15 +01:00
leds leds: trigger: fix potential deadlock with libata 2021-02-03 23:25:58 +01:00
lightnvm lightnvm: fix memory leak when submit fails 2021-01-27 11:47:53 +01:00
macintosh macintosh/via-macii: Access autopoll_devs when inside lock 2020-08-19 08:16:15 +02:00
mailbox mailbox: avoid timer start from callback 2020-10-29 09:57:53 +01:00
mcb
md dm table: fix zoned iterate_devices based device capability checks 2021-03-11 14:06:49 +01:00
media media: rc: compile rc-cec.c into rc-core 2021-03-17 17:03:40 +01:00
memory memory: ti-aemif: Drop child node when jumping out loop 2021-03-04 10:26:14 +01:00
memstick memstick: r592: Fix error return in r592_probe() 2020-12-30 11:51:18 +01:00
message scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() 2020-11-05 11:43:25 +01:00
mfd mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() 2021-03-04 10:26:33 +01:00
misc misc: fastrpc: restrict user apps from sending kernel RPC messages 2021-03-17 17:03:52 +01:00
mmc mmc: cqhci: Fix random crash when remove mmc module/card 2021-03-17 17:03:48 +01:00
mtd mtd: spi-nor: hisi-sfc: Put child node np on error path 2021-03-04 10:26:48 +01:00
mux
net net: dsa: b53: Support setting learning on port 2021-03-20 10:39:47 +01:00
nfc nfc: s3fwrn5: Release the nfc firmware 2020-12-30 11:51:26 +01:00
ntb NTB: hw: amd: fix an issue about leak system resources 2020-10-29 09:58:00 +01:00
nubus
nvdimm libnvdimm/dimm: Avoid race between probe and available_slots_show() 2021-02-10 09:25:30 +01:00
nvme nvme-rdma: fix possible hang when failing to set io queues 2021-03-24 11:26:40 +01:00
nvmem nvmem: core: skip child nodes not matching binding 2021-03-04 10:26:37 +01:00
of of/fdt: Make sure no-map does not remove already reserved regions 2021-03-04 10:26:28 +01:00
opp opp: Reduce the size of critical section in _opp_table_kref_release() 2020-11-18 19:20:21 +01:00
oprofile
parisc parisc: mask out enable and reserved bits from sba imask 2020-08-19 08:16:26 +02:00
parport
pci PCI: rpadlpar: Fix potential drc_name corruption in store functions 2021-03-24 11:26:43 +01:00
pcmcia
perf drivers/perf: thunderx2_pmu: Fix memory resource error handling 2020-10-29 09:57:30 +01:00
phy phy: rockchip-emmc: emmc_phy_init() always return 0 2021-03-04 10:26:36 +01:00
pinctrl pinctrl: ingenic: Fix JZ4760 support 2021-01-27 11:47:52 +01:00
platform Platform: OLPC: Fix probe error handling 2021-03-17 17:03:42 +01:00
pnp
power power: reset: at91-sama5d2_shdwc: fix wkupdbc mask 2021-03-04 10:26:28 +01:00
powercap powercap: restrict energy meter to root access 2020-11-10 21:13:20 +01:00
pps
ps3 powerpc/ps3: use dma_mapping_error() 2020-12-30 11:51:26 +01:00
ptp
pwm pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() 2021-03-04 10:26:36 +01:00
rapidio rapidio: fix the missed put_device() for rio_mport_add_riodev 2020-10-29 09:57:53 +01:00
ras
regulator regulator: qcom-rpmh: fix pm8009 ldo7 2021-03-04 10:26:34 +01:00
remoteproc remoteproc: qcom: Fix potential NULL dereference in adsp_init_mmio() 2020-12-30 11:51:24 +01:00
reset
rpmsg rpmsg: glink: Use complete_all for open states 2020-11-05 11:43:20 +01:00
rtc rtc: s5m: select REGMAP_I2C 2021-03-04 10:26:29 +01:00
s390 s390/dasd: fix hanging IO request during DASD driver unbind 2021-03-17 17:03:48 +01:00
sbus
scsi scsi: myrs: Fix a double free in myrs_cleanup() 2021-03-24 11:26:40 +01:00
sfi
sh
siox
slimbus slimbus: qcom-ngd-ctrl: Avoid sending power requests without QMI 2020-12-30 11:51:13 +01:00
soc soc: aspeed: snoop: Add clock control logic 2021-03-04 10:26:16 +01:00
soundwire soundwire: cadence: fix ACK/NAK handling 2021-03-04 10:26:36 +01:00
spi spi: stm32: make spurious and overrun interrupts visible 2021-03-17 17:03:42 +01:00
spmi spmi: spmi-pmic-arb: Fix hw_irq overflow 2021-03-04 10:26:49 +01:00
ssb
staging staging: comedi: pcl818: Fix endian problem for AI command data 2021-03-17 17:03:55 +01:00
target scsi: target: core: Prevent underflow for service actions 2021-03-17 17:03:45 +01:00
tc
tee tee: optee: replace might_sleep with cond_resched 2021-02-03 23:25:58 +01:00
thermal thermal/drivers/cpufreq_cooling: Update cpufreq_state only if state has changed 2021-01-06 14:48:35 +01:00
thunderbolt thunderbolt: Fix use-after-free in remove_unplugged_switch() 2020-12-11 13:23:29 +01:00
tty vt/consolemap: do font sum unsigned 2021-03-07 12:20:44 +01:00
uio uio: Fix use-after-free in uio_unregister_device() 2020-11-18 19:20:29 +01:00
usb usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- 2021-03-24 11:26:41 +01:00
vfio vfio: IOMMU_API should be selected 2021-03-24 11:26:38 +01:00
vhost vhost_net: fix ubuf refcount incorrectly when sendmsg fails 2021-01-12 20:16:16 +01:00
video udlfb: Fix memory leak in dlfb_usb_probe 2021-03-07 12:20:42 +01:00
virt virt: vbox: Do not use wait_event_interruptible when called from kernel context 2021-03-04 10:26:10 +01:00
virtio virtio_ring: Fix two use after free bugs 2020-12-30 11:51:29 +01:00
visorbus
vlynq
vme
w1 w1: mxc_w1: Fix timeout resolution problem leading to bus error 2020-11-05 11:43:25 +01:00
watchdog watchdog: mei_wdt: request stop on unregister 2021-03-04 10:26:47 +01:00
xen xen/events: avoid handling the same event on two cpus at the same time 2021-03-17 17:03:58 +01:00
zorro
Kconfig
Makefile