[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-ppc] [PATCH] ppc/spapr: Fix buffer overflow in spapr_populate_
From: |
David Gibson |
Subject: |
Re: [Qemu-ppc] [PATCH] ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory() |
Date: |
Wed, 16 Sep 2015 12:24:47 +1000 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Tue, Sep 15, 2015 at 09:34:20PM +0200, Thomas Huth wrote:
> The buffer that is allocated in spapr_populate_drconf_memory()
> is used for setting both, the "ibm,dynamic-memory" and the
> "ibm,associativity-lookup-arrays" property. However, only the
> size of the first one is taken into account when allocating the
> memory. So if the length of the second property is larger than
> the length of the first one, we run into a buffer overflow here!
> Fix it by taking the length of the second property into account,
> too.
>
> Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch
> Signed-off-by: Thomas Huth <address@hidden>
Merged to spapr-next, thanks.
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
pgpKUzTjvYVLE.pgp
Description: PGP signature