Page MenuHomeFreeBSD

[PowerPC] Allow traversal of oversize OF properties

Authored by bdragon on Oct 4 2020, 11:48 PM.



In standards such as LoPAPR, property names in excess of the usual 31 characters exist.

This breaks property traversal.

While in IEEE 1275-1994, nextprop is defined explicitly to work with a 32-byte region of memory, using a larger buffer should be fine. There is actually no way to pass a buffer length to the nextprop call in the OF client interface, so SLOF actually just blindly overflows the buffer.

So we have to defensively make the buffer larger.

Diff Detail

rS FreeBSD src repository - subversion
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

As I was writing the patch description, I realized that we actually need to be even more defensive about property name lengths, as we aren't blocking userland from setting properties up to OFIOCMAXNAME, which means someone could force an overflow of newname[] by setting a long property to something and then traversing it, which would force OF to corrupt the kernel stack using nextprop.

Maybe we should stop playing whack-a-mole and just use an overkill bounce page that can hold the full name field (2048 bytes?)

This revision is now accepted and ready to land.Nov 3 2020, 10:32 PM