From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 8 Sep 2017 07:24:05 +0000 (+0200)
Subject: 4.12-stable patches
X-Git-Tag: v4.13.1~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b6a8840f45b99aa929159ab96bc04e8bbbe7327d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.12-stable patches

added patches:
	of-device-prevent-buffer-overflow-in-of_device_modalias.patch
---

diff --git a/queue-4.12/of-device-prevent-buffer-overflow-in-of_device_modalias.patch b/queue-4.12/of-device-prevent-buffer-overflow-in-of_device_modalias.patch
new file mode 100644
index 00000000000..7fd3ddb2e1b
--- /dev/null
+++ b/queue-4.12/of-device-prevent-buffer-overflow-in-of_device_modalias.patch
@@ -0,0 +1,36 @@
+From 08ab58d9de3eb8498ae0585001d0975e46217a39 Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Wed, 23 Aug 2017 18:04:04 -0700
+Subject: of/device: Prevent buffer overflow in of_device_modalias()
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+commit 08ab58d9de3eb8498ae0585001d0975e46217a39 upstream.
+
+As of_device_get_modalias() returns the number of bytes that would have
+been written to the target string, regardless of how much did fit in the
+buffer, it's possible that the returned index points beyond the buffer
+passed to of_device_modalias() - causing memory beyond the buffer to be
+null terminated.
+
+Fixes: 0634c2958927 ("of: Add function for generating a DT modalias with a newline")
+Cc: Rob Herring <robh@kernel.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/device.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/of/device.c
++++ b/drivers/of/device.c
+@@ -274,6 +274,8 @@ ssize_t of_device_modalias(struct device
+ 	ssize_t sl = of_device_get_modalias(dev, str, len - 2);
+ 	if (sl < 0)
+ 		return sl;
++	if (sl > len - 2)
++		return -ENOMEM;
+ 
+ 	str[sl++] = '\n';
+ 	str[sl] = 0;
diff --git a/queue-4.12/series b/queue-4.12/series
index 3ceff4fb21d..b8ed589b9c1 100644
--- a/queue-4.12/series
+++ b/queue-4.12/series
@@ -38,3 +38,4 @@ ahci-don-t-use-msi-for-devices-with-the-silly-intel-nvme-remapping-scheme.patch
 cs5536-add-support-for-ide-controller-variant.patch
 scsi-sg-protect-against-races-between-mmap-and-sg_set_reserved_size.patch
 scsi-sg-recheck-mmap_io-request-length-with-lock-held.patch
+of-device-prevent-buffer-overflow-in-of_device_modalias.patch