--- /dev/null
+From 08ab58d9de3eb8498ae0585001d0975e46217a39 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Wed, 23 Aug 2017 18:04:04 -0700
+Subject: of/device: Prevent buffer overflow in of_device_modalias()
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+commit 08ab58d9de3eb8498ae0585001d0975e46217a39 upstream.
+
+As of_device_get_modalias() returns the number of bytes that would have
+been written to the target string, regardless of how much did fit in the
+buffer, it's possible that the returned index points beyond the buffer
+passed to of_device_modalias() - causing memory beyond the buffer to be
+null terminated.
+
+Fixes: 0634c2958927 ("of: Add function for generating a DT modalias with a newline")
+Cc: Rob Herring <robh@kernel.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/device.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/of/device.c
++++ b/drivers/of/device.c
+@@ -274,6 +274,8 @@ ssize_t of_device_modalias(struct device
+ ssize_t sl = of_device_get_modalias(dev, str, len - 2);
+ if (sl < 0)
+ return sl;
++ if (sl > len - 2)
++ return -ENOMEM;
+
+ str[sl++] = '\n';
+ str[sl] = 0;
cs5536-add-support-for-ide-controller-variant.patch
scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch
scsi-sg-recheck-mmap_io-request-length-with-lock-held.patch
+of-device-prevent-buffer-overflow-in-of_device_modalias.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
