kernel: crashlog: Avoid out-of-bounds write
authorFelix Fietkau <nbd@openwrt.org>
Wed, 21 Aug 2013 20:59:25 +0000 (20:59 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Wed, 21 Aug 2013 20:59:25 +0000 (20:59 +0000)
vsnprintf returns the number of chars that would have been written, not
the actual number of chars written. This can lead to crashlog_buf->len
being too big which in turn can lead to get_maxlen() returning negative
numbers. The length argument of kmsg_dump_get_buffer will be casted to
a size_t which makes a negative input a big positive number allowing
kmsg_dump_get_buffer to write out of bounds.

Fix this by using vscnprintf which returns the actually written number
of chars.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 37820

target/linux/generic/patches-3.10/930-crashlog.patch
target/linux/generic/patches-3.3/930-crashlog.patch
target/linux/generic/patches-3.6/930-crashlog.patch
target/linux/generic/patches-3.8/930-crashlog.patch
target/linux/generic/patches-3.9/930-crashlog.patch

index 22778c04c79d206376688d3ef97e5eb8a1077e5c..4aba013eda46e7b0ada63267a3c143a84545aab0 100644 (file)
 +              return;
 +
 +      va_start(args, fmt);
-+      crashlog_buf->len += vsnprintf(
++      crashlog_buf->len += vscnprintf(
 +              &crashlog_buf->data[crashlog_buf->len],
 +              len, fmt, args);
 +      va_end(args);
index f6a52f3322f903902f683395fffec7af62547a59..9a10723d76fe9dff025f3e5d182993063f021bb8 100644 (file)
 +              return;
 +
 +      va_start(args, fmt);
-+      crashlog_buf->len += vsnprintf(
++      crashlog_buf->len += vscnprintf(
 +              &crashlog_buf->data[crashlog_buf->len],
 +              len, fmt, args);
 +      va_end(args);
index 8c1a18a5db678605a3843aaaecbeaa16777a728b..88923993f313acbc1c650cd3a396a4077c43aef0 100644 (file)
 +              return;
 +
 +      va_start(args, fmt);
-+      crashlog_buf->len += vsnprintf(
++      crashlog_buf->len += vscnprintf(
 +              &crashlog_buf->data[crashlog_buf->len],
 +              len, fmt, args);
 +      va_end(args);
index da0d8008e414a21bf261f64a2110e2acfb55aa5c..4d0fc029d4c09fec5c2b01038df41a99ff66f281 100644 (file)
 +              return;
 +
 +      va_start(args, fmt);
-+      crashlog_buf->len += vsnprintf(
++      crashlog_buf->len += vscnprintf(
 +              &crashlog_buf->data[crashlog_buf->len],
 +              len, fmt, args);
 +      va_end(args);
index 867e5bb2f394d6f244bf3d20bb3d95671efc0966..d20c32d0d7b0f0977ef5e26586321dfaec4171c1 100644 (file)
 +              return;
 +
 +      va_start(args, fmt);
-+      crashlog_buf->len += vsnprintf(
++      crashlog_buf->len += vscnprintf(
 +              &crashlog_buf->data[crashlog_buf->len],
 +              len, fmt, args);
 +      va_end(args);