From 671308378e475712bcc608f2ae0fd990c2321606 Mon Sep 17 00:00:00 2001 From: Thomas Huth Date: Tue, 15 Sep 2015 20:33:37 +0200 Subject: [PATCH 05/22] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory() Message-id: <1442349217-19986-3-git-send-email-thuth@redhat.com> Patchwork-id: 67772 O-Subject: [RHEL7.2 qemu-kvm-rhev PATCH 2/2] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory() Bugzilla: 1262670 RH-Acked-by: Miroslav Rezanina RH-Acked-by: Laurent Vivier RH-Acked-by: David Gibson The buffer that is allocated in spapr_populate_drconf_memory() is used for setting both, the "ibm,dynamic-memory" and the "ibm,associativity-lookup-arrays" property. However, only the size of the first one is taken into account when allocating the memory. So if the length of the second property is larger than the length of the first one, we run into a buffer overflow here! Fix it by taking the length of the second property into account, too. Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch Signed-off-by: Thomas Huth Signed-off-by: Miroslav Rezanina --- hw/ppc/spapr.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index f3a0517..6e98371 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -719,9 +719,12 @@ static int spapr_populate_drconf_memory(sPAPRMachineState *spapr, void *fdt) uint32_t *int_buf, *cur_index, buf_len; int nr_nodes = nb_numa_nodes ? nb_numa_nodes : 1; - /* Allocate enough buffer size to fit in ibm,dynamic-memory */ - buf_len = nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE * sizeof(uint32_t) + - sizeof(uint32_t); + /* + * Allocate enough buffer size to fit in ibm,dynamic-memory + * or ibm,associativity-lookup-arrays + */ + buf_len = MAX(nr_lmbs * SPAPR_DR_LMB_LIST_ENTRY_SIZE + 1, nr_nodes * 4 + 2) + * sizeof(uint32_t); cur_index = int_buf = g_malloc0(buf_len); offset = fdt_add_subnode(fdt, 0, "ibm,dynamic-reconfiguration-memory"); -- 1.8.3.1