powerpc-utils/powerpc-utils-1.3.10-nvram-print-config-crash.patch

commit 3f72b8326a2fc9a9dffb4b31d0ce3abf12e24751
Author: Likhitha Korrapati <likhitha@linux.ibm.com>
Date:   Thu Jan 25 15:44:02 2024 +0530

    powerpc/nvram: fix segmentation fault issue in print-config
    
    print-config option in nvram results in segmentation fault when the
    user provides a very large value.
    
    without the patch:
    [root@xxx powerpc-utils]# nvram --print-config=real-mode?
    true
    [root@xxx powerpc-utils]# nvram --print-config=$(perl -e 'p
    rint "A"x1000000')
    Segmentation fault (core dumped)
    
    The Segmentation fault occurs because the code tries to access memory
    beyond the bounds of the data at index varlen. varlen is the length of
    the string provided by the user.
    
    This patch adds a condition to check whether the length of the data is
    greater than varlen to prevent accessing out of bounds.
    
    with the patch:
    [root@xxx powerpc-utils]# ./src/nvram --print-config=real-m
    ode?
    true
    [root@xxx powerpc-utils]# ./src/nvram --print-config=$(perl
     -e 'print "A"x1000000')
    
    Reported-by: Shirisha Ganta <shirisha@linux.ibm.com>
    Signed-off-by: Likhitha Korrapati <likhitha@linux.ibm.com>
    Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>

diff --git a/src/nvram.c b/src/nvram.c
index f051e9c..095e747 100644
--- a/src/nvram.c
+++ b/src/nvram.c
@@ -1280,7 +1280,7 @@ print_of_config(struct nvram *nvram, char *config_var, char *pname,
 
 	data = (char *)phead + sizeof(*phead);
 	while (*data != '\0') {
-	    if ((data[varlen] == '=') && 
+	    if (strlen(data) > varlen && (data[varlen] == '=') &&
 		strncmp(config_var, data, varlen) == 0) {
 		printf("%s%c", data + varlen + 1, terminator);
 		rc = 0;
- Resolves: RHEL-23620, nvram help page and man page are not in sync - Resolves: RHEL-23619, segault when running nvram --nvram-size 268435456 - Resolves: RHEL-23624, segault when running nvram --print-config 2024-06-29 10:09:32 +00:00			`commit 3f72b8326a2fc9a9dffb4b31d0ce3abf12e24751`
			`Author: Likhitha Korrapati <likhitha@linux.ibm.com>`
			`Date: Thu Jan 25 15:44:02 2024 +0530`

			`powerpc/nvram: fix segmentation fault issue in print-config`

			`print-config option in nvram results in segmentation fault when the`
			`user provides a very large value.`

			`without the patch:`
			`[root@xxx powerpc-utils]# nvram --print-config=real-mode?`
			`true`
			`[root@xxx powerpc-utils]# nvram --print-config=$(perl -e 'p`
			`rint "A"x1000000')`
			`Segmentation fault (core dumped)`

			`The Segmentation fault occurs because the code tries to access memory`
			`beyond the bounds of the data at index varlen. varlen is the length of`
			`the string provided by the user.`

			`This patch adds a condition to check whether the length of the data is`
			`greater than varlen to prevent accessing out of bounds.`

			`with the patch:`
			`[root@xxx powerpc-utils]# ./src/nvram --print-config=real-m`
			`ode?`
			`true`
			`[root@xxx powerpc-utils]# ./src/nvram --print-config=$(perl`
			`-e 'print "A"x1000000')`

			`Reported-by: Shirisha Ganta <shirisha@linux.ibm.com>`
			`Signed-off-by: Likhitha Korrapati <likhitha@linux.ibm.com>`
			`Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>`

			`diff --git a/src/nvram.c b/src/nvram.c`
			`index f051e9c..095e747 100644`
			`--- a/src/nvram.c`
			`+++ b/src/nvram.c`
			`@@ -1280,7 +1280,7 @@ print_of_config(struct nvram nvram, char config_var, char *pname,`

			`data = (char )phead + sizeof(phead);`
			`while (*data != '\0') {`
			`- if ((data[varlen] == '=') &&`
			`+ if (strlen(data) > varlen && (data[varlen] == '=') &&`
			`strncmp(config_var, data, varlen) == 0) {`
			`printf("%s%c", data + varlen + 1, terminator);`
			`rc = 0;`