Differential D26669
[PowerPC] Allow traversal of oversize OF properties Authored by bdragon on Oct 4 2020, 11:48 PM. Tags Referenced Files
Details In standards such as LoPAPR, property names in excess of the usual 31 characters exist. This breaks property traversal. While in IEEE 1275-1994, nextprop is defined explicitly to work with a 32-byte region of memory, using a larger buffer should be fine. There is actually no way to pass a buffer length to the nextprop call in the OF client interface, so SLOF actually just blindly overflows the buffer. So we have to defensively make the buffer larger.
Diff Detail
Event TimelineComment Actions As I was writing the patch description, I realized that we actually need to be even more defensive about property name lengths, as we aren't blocking userland from setting properties up to OFIOCMAXNAME, which means someone could force an overflow of newname[] by setting a long property to something and then traversing it, which would force OF to corrupt the kernel stack using nextprop. Comment Actions Maybe we should stop playing whack-a-mole and just use an overkill bounce page that can hold the full name field (2048 bytes?) |