ACPI: APEI: EINJ: prevent memory corruption in error_type_set()

The "einj_buf" buffer is 32 chars.  If "count" is larger than that it
results in memory corruption.  Cap it at 31 so that we leave the last
character as a NUL terminator.  By the way, the highest reasonable value
for "count" is 24.

Fixes: 0c6176e1e186 ("ACPI: APEI: EINJ: Enable the discovery of EINJv2 capabilities")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Link: https://patch.msgid.link/ae6286cf-4d73-4b97-8c0f-0782a65b8f51@sabinyo.mountain
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
index d6d7e36e3647982a2aaa983c231f7050da976d71..f5cfa6310f0e1ced2de8710d828c1eede6619504 100644 (file)
--- a/drivers/acpi/apei/einj-core.c
+++ b/drivers/acpi/apei/einj-core.c
@@ -826,6 +826,10 @@ static ssize_t error_type_set(struct file *file, const char __user *buf,
        int rc;
        u64 val;
 
+       /* Leave the last character for the NUL terminator */
+       if (count > sizeof(einj_buf) - 1)
+               return -EINVAL;
+
        memset(einj_buf, 0, sizeof(einj_buf));
        if (copy_from_user(einj_buf, buf, count))
                return -EFAULT;