Fix buffer overflow when UTF-16 UEFI vendor string is copied from the
system table into a char array with a size of 100 bytes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVt8LEAAoJEGvWsS0AyF7xg4gP/iZweJzesP29V1O6l+PxqEMU vTJYVEUBmzso2bt8GYb8EFhL3CdPmw5azGNksgOICL2Knd+sVlGLtMmfMupN7H1M j+f7o546UCw3g+e0huKJvGmBuNFJkTleXAh+KRWSlFDpt7IVqzjT1njVeF+xvd0b JG+a3+xPYCUuOUDv4mCVdQ3zueLhLBy/Mv3QWKAGyX0JdraT4PkgHSiD1c46YeAt l4uymuTGXJlSMTdwQK50QDevH5Nh28c7TaksH1OkZPHNxDogWuTeAUpFRpbtWGpQ VrGExlb/CYT14R6SvlG5Jz80BLlW0mHVYgwXXJZ+Z/tKquOnYR0B4ZnX7R8q7YgM g6YKOAPNhiifgwBbasXPt46po7SeBV0/qdUuOVpjdtZXKlUo7O57bGDcdchxJ5V5 WDuXJoA3wDcRUg99eEG8cPl0yb5DAzUhR0n+1WvQ7ON7G978QHW5YpXWQ13zEHGV rIDZelU+o2Yr84YIZBmuo7qip4xQU7AJaHmqs9GSxyNA1Kip8jJD2UJ/+7PW/l+F VsNasShQleiC+9nIkOhzkpgfy1BLb7+8PkfIgJiz6nz3i9PpTHKHsCAHOURoGjuP g2wHGxOsjcygkqkJQTMwlaGjhWbm7uP40d88kHmYqYfVDwLtYXdXsv/oH+zDN+zN UUFU9EIDgOkEocRNEMf+ =phfS -----END PGP SIGNATURE----- Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fix from Catalin Marinas: "Fix buffer overflow when UTF-16 UEFI vendor string is copied from the system table into a char array with a size of 100 bytes" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64/efi: map the entire UEFI vendor string before reading it
This commit is contained in:
commit
d61be4b3f2
|
@ -122,12 +122,12 @@ static int __init uefi_init(void)
|
||||||
|
|
||||||
/* Show what we know for posterity */
|
/* Show what we know for posterity */
|
||||||
c16 = early_memremap(efi_to_phys(efi.systab->fw_vendor),
|
c16 = early_memremap(efi_to_phys(efi.systab->fw_vendor),
|
||||||
sizeof(vendor));
|
sizeof(vendor) * sizeof(efi_char16_t));
|
||||||
if (c16) {
|
if (c16) {
|
||||||
for (i = 0; i < (int) sizeof(vendor) - 1 && *c16; ++i)
|
for (i = 0; i < (int) sizeof(vendor) - 1 && *c16; ++i)
|
||||||
vendor[i] = c16[i];
|
vendor[i] = c16[i];
|
||||||
vendor[i] = '\0';
|
vendor[i] = '\0';
|
||||||
early_memunmap(c16, sizeof(vendor));
|
early_memunmap(c16, sizeof(vendor) * sizeof(efi_char16_t));
|
||||||
}
|
}
|
||||||
|
|
||||||
pr_info("EFI v%u.%.02u by %s\n",
|
pr_info("EFI v%u.%.02u by %s\n",
|
||||||
|
|
Loading…
Reference in New Issue