From: Jim Meyering <jim@meyering.net>
Date: Tue, 17 Apr 2012 19:27:54 +0000 (+0200)
Subject: drm/nouveau/pm: don't read/write beyond end of stack buffer
X-Git-Tag: accepted/tizen/common/20141203.182822~4807^2~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5799d9e2eab20ef694fb92a7636f451e1b0e456c;p=platform%2Fkernel%2Flinux-arm64.git

drm/nouveau/pm: don't read/write beyond end of stack buffer

NUL-terminate after strncpy.

If the parameter "profile" has length 16 or more, then strncpy
leaves "string" with no NUL terminator, so the following search
for '\n' may read beyond the end of that 16-byte buffer.
If it finds a newline there, then it will also write beyond the
end of that stack buffer.

Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
---

diff --git a/drivers/gpu/drm/nouveau/nouveau_pm.c b/drivers/gpu/drm/nouveau/nouveau_pm.c
index 34d591b..da3e7c3 100644
--- a/drivers/gpu/drm/nouveau/nouveau_pm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_pm.c
@@ -235,6 +235,7 @@ nouveau_pm_profile_set(struct drm_device *dev, const char *profile)
 		return -EPERM;
 
 	strncpy(string, profile, sizeof(string));
+	string[sizeof(string) - 1] = 0;
 	if ((ptr = strchr(string, '\n')))
 		*ptr = '\0';