mm/cma_debug.c: fix stack corruption due to sprintf usage
authorPrakash Gupta <guptap@codeaurora.org>
Fri, 18 Aug 2017 22:16:21 +0000 (15:16 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Fri, 18 Aug 2017 22:32:02 +0000 (15:32 -0700)
name[] in cma_debugfs_add_one() can only accommodate 16 chars including
NULL to store sprintf output.  It's common for cma device name to be
larger than 15 chars.  This can cause stack corrpution.  If the gcc
stack protector is turned on, this can cause a panic due to stack
corruption.

Below is one example trace:

  Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in:
  ffffff8e69a75730
  Call trace:
     dump_backtrace+0x0/0x2c4
     show_stack+0x20/0x28
     dump_stack+0xb8/0xf4
     panic+0x154/0x2b0
     print_tainted+0x0/0xc0
     cma_debugfs_init+0x274/0x290
     do_one_initcall+0x5c/0x168
     kernel_init_freeable+0x1c8/0x280

Fix the short sprintf buffer in cma_debugfs_add_one() by using
scnprintf() instead of sprintf().

Link: http://lkml.kernel.org/r/1502446217-21840-1-git-send-email-guptap@codeaurora.org
Fixes: f318dd083c81 ("cma: Store a name in the cma structure")
Signed-off-by: Prakash Gupta <guptap@codeaurora.org>
Acked-by: Laura Abbott <labbott@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/cma_debug.c

index 595b757bef72722fb2715afd9ab0cd1536181c9e..c03ccbc405a066038619361cf995f675dc2efaa1 100644 (file)
@@ -167,7 +167,7 @@ static void cma_debugfs_add_one(struct cma *cma, int idx)
        char name[16];
        int u32s;
 
-       sprintf(name, "cma-%s", cma->name);
+       scnprintf(name, sizeof(name), "cma-%s", cma->name);
 
        tmp = debugfs_create_dir(name, cma_debugfs_root);