x86: fix buffer overflow in efi_init()

If the vendor name (from c16) can be longer than 100 bytes (or missing a terminating null), then the null is written past the end of vendor[]. Found with Parfait, http://research.sun.com/projects/parfait/Signed-off-by: N Roel Kluin <roel.kluin@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N H. Peter Anvin <hpa@zytor.com> Cc: Huang Ying <ying.huang@intel.com>

x86: fix buffer overflow in efi_init()
If the vendor name (from c16) can be longer than 100 bytes (or missing a terminating null), then the null is written past the end of vendor[]. Found with Parfait, http://research.sun.com/projects/parfait/Signed-off-by: N Roel Kluin <roel.kluin@gmail.com> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N H. Peter Anvin <hpa@zytor.com> Cc: Huang Ying <ying.huang@intel.com>
fdb8a427 · Roel Kluin · H. Peter Anvin · 498cdbfb · fdb8a427
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

arch/x86/kernel/efi.c arch/x86/kernel/efi.c +1 -1

未找到文件。
--- a/arch/x86/kernel/efi.c
+++ b/arch/x86/kernel/efi.c
@@ -354,7 +354,7 @@ void __init efi_init(void)
 	 */
 	c16 = tmp = early_ioremap(efi.systab->fw_vendor, 2);
 	if (c16) {
-		for (i = 0; i < sizeof(vendor) && *c16; ++i)
+		for (i = 0; i < sizeof(vendor) - 1 && *c16; ++i)
 			vendor[i] = *c16++;
 		vendor[i] = '\0';
 	} else