Fabiano Rosas cc941111a5 spapr: fix out of bounds write in spapr_populate_drmem_v2 ... buf_len is uint8_t which is not large enough to hold the result of: nr_entries * sizeof(struct sPAPRDrconfCellV2) + sizeof(uint32_t); for a nr_entries greater than 10. This causes the allocated buffer 'int_buf' to be smaller than expected and we eventually overwrite some of glibc's control structures (see "chunk" in https://sourceware.org/glibc/wiki/MallocInternals) The following error is seen while trying to free int_buf: "free(): invalid next size (fast)" Fixes: a324d6f166 "spapr: Support ibm,dynamic-memory-v2 property" Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com> Message-Id: <20190213172926.21740-1-farosas@linux.ibm.com> Reviewed-by: Greg Kurz <groug@kaod.org> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>		2019-02-17 21:54:02 +11:00
..
e500-ccsr.h
e500.c
e500.h
e500plat.c
fdt.c
mac_newworld.c
mac_oldworld.c
mac.h
Makefile.objs
mpc8544_guts.c
mpc8544ds.c
pnv_bmc.c
pnv_core.c
pnv_lpc.c
pnv_occ.c
pnv_psi.c
pnv_xscom.c
pnv.c
ppc4xx_devs.c
ppc4xx_pci.c
ppc405_boards.c
ppc405_uc.c
ppc405.h
ppc440_bamboo.c
ppc440_pcix.c
ppc440_uc.c
ppc440.h
ppc_booke.c
ppc.c
ppce500_spin.c
prep_systemio.c
prep.c
rs6000_mc.c
sam460ex.c
spapr_caps.c
spapr_cpu_core.c
spapr_drc.c
spapr_events.c
spapr_hcall.c
spapr_iommu.c
spapr_irq.c
spapr_ovec.c
spapr_pci_vfio.c
spapr_pci.c
spapr_rng.c
spapr_rtas_ddw.c
spapr_rtas.c
spapr_rtc.c
spapr_vio.c
spapr.c	spapr: fix out of bounds write in spapr_populate_drmem_v2	2019-02-17 21:54:02 +11:00
trace-events
virtex_ml507.c