Page MenuHomeFreeBSD

[PowerPC] Allow traversal of oversize OF properties
ClosedPublic

Authored by bdragon on Oct 4 2020, 11:48 PM.

Details

Summary

In standards such as LoPAPR, property names in excess of the usual 31 characters exist.

This breaks property traversal.

While in IEEE 1275-1994, nextprop is defined explicitly to work with a 32-byte region of memory, using a larger buffer should be fine. There is actually no way to pass a buffer length to the nextprop call in the OF client interface, so SLOF actually just blindly overflows the buffer.

So we have to defensively make the buffer larger.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

As I was writing the patch description, I realized that we actually need to be even more defensive about property name lengths, as we aren't blocking userland from setting properties up to OFIOCMAXNAME, which means someone could force an overflow of newname[] by setting a long property to something and then traversing it, which would force OF to corrupt the kernel stack using nextprop.

Maybe we should stop playing whack-a-mole and just use an overkill bounce page that can hold the full name field (2048 bytes?)

This revision is now accepted and ready to land.Nov 3 2020, 10:32 PM