releases/3.3.5/x86-efi-fix-pointer-math-issue-in-handle_ramdisks.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From c7b738351ba92f48b943ac59aff6b5b0f17f37c9 Mon Sep 17 00:00:00 2001
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Mon, 5 Mar 2012 21:06:14 +0300
 Subject: x86, efi: Fix pointer math issue in handle_ramdisks()

 From: Dan Carpenter <dan.carpenter@oracle.com>

 commit c7b738351ba92f48b943ac59aff6b5b0f17f37c9 upstream.

 "filename" is a efi_char16_t string so this check for reaching the end
 of the array doesn't work.  We need to cast the pointer to (u8 *) before
 doing the math.

 This patch changes the "filename" to "filename_16" to avoid confusion in
 the future.

 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Link: http://lkml.kernel.org/r/20120305180614.GA26880@elgon.mountain
 Acked-by: Matt Fleming <matt.fleming@intel.com>
 Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  arch/x86/boot/compressed/eboot.c |    8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

 --- a/arch/x86/boot/compressed/eboot.c
 +++ b/arch/x86/boot/compressed/eboot.c
 @@ -539,7 +539,7 @@ static efi_status_t handle_ramdisks(efi_
  		struct initrd *initrd;
  		efi_file_handle_t *h;
  		efi_file_info_t *info;
 -		efi_char16_t filename[256];
 +		efi_char16_t filename_16[256];
  		unsigned long info_sz;
  		efi_guid_t info_guid = EFI_FILE_INFO_ID;
  		efi_char16_t *p;
 @@ -552,14 +552,14 @@ static efi_status_t handle_ramdisks(efi_
  		str += 7;

  		initrd = &initrds[i];
 -		p = filename;
 +		p = filename_16;

  		/* Skip any leading slashes */
  		while (*str == '/' || *str == '\\')
  			str++;

  		while (*str && *str != ' ' && *str != '\n') {
 -			if (p >= filename + sizeof(filename))
 +			if ((u8 *)p >= (u8 *)filename_16 + sizeof(filename_16))
  				break;

  			*p++ = *str++;
 @@ -583,7 +583,7 @@ static efi_status_t handle_ramdisks(efi_
  				goto free_initrds;
  		}

 -		status = efi_call_phys5(fh->open, fh, &h, filename,
 +		status = efi_call_phys5(fh->open, fh, &h, filename_16,
  					EFI_FILE_MODE_READ, (u64)0);
  		if (status != EFI_SUCCESS)
  			goto close_handles;
	From c7b738351ba92f48b943ac59aff6b5b0f17f37c9 Mon Sep 17 00:00:00 2001
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Mon, 5 Mar 2012 21:06:14 +0300
	Subject: x86, efi: Fix pointer math issue in handle_ramdisks()

	From: Dan Carpenter <dan.carpenter@oracle.com>

	commit c7b738351ba92f48b943ac59aff6b5b0f17f37c9 upstream.

	"filename" is a efi_char16_t string so this check for reaching the end
	of the array doesn't work. We need to cast the pointer to (u8 *) before
	doing the math.

	This patch changes the "filename" to "filename_16" to avoid confusion in
	the future.

	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Link: http://lkml.kernel.org/r/20120305180614.GA26880@elgon.mountain
	Acked-by: Matt Fleming <matt.fleming@intel.com>
	Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	arch/x86/boot/compressed/eboot.c \| 8 ++++----
	1 file changed, 4 insertions(+), 4 deletions(-)

	--- a/arch/x86/boot/compressed/eboot.c
	+++ b/arch/x86/boot/compressed/eboot.c
	@@ -539,7 +539,7 @@ static efi_status_t handle_ramdisks(efi_
	struct initrd *initrd;
	efi_file_handle_t *h;
	efi_file_info_t *info;
	- efi_char16_t filename[256];
	+ efi_char16_t filename_16[256];
	unsigned long info_sz;
	efi_guid_t info_guid = EFI_FILE_INFO_ID;
	efi_char16_t *p;
	@@ -552,14 +552,14 @@ static efi_status_t handle_ramdisks(efi_
	str += 7;

	initrd = &initrds[i];
	- p = filename;
	+ p = filename_16;

	/* Skip any leading slashes */
	while (str == '/' \|\| str == '\\')
	str++;

	while (str && str != ' ' && *str != '\n') {
	- if (p >= filename + sizeof(filename))
	+ if ((u8 )p >= (u8 )filename_16 + sizeof(filename_16))
	break;

	p++ = str++;
	@@ -583,7 +583,7 @@ static efi_status_t handle_ramdisks(efi_
	goto free_initrds;
	}

	- status = efi_call_phys5(fh->open, fh, &h, filename,
	+ status = efi_call_phys5(fh->open, fh, &h, filename_16,
	EFI_FILE_MODE_READ, (u64)0);
	if (status != EFI_SUCCESS)
	goto close_handles;