diff options
| author | Felix Fietkau <nbd@openwrt.org> | 2013-08-21 20:59:25 +0000 |
|---|---|---|
| committer | Felix Fietkau <nbd@openwrt.org> | 2013-08-21 20:59:25 +0000 |
| commit | 3848e6a246192d42160034e106f838b791931dce (patch) | |
| tree | 3749a5663d177b71497810db03192b740aef1328 | |
| parent | 3e28d0849ee6cd39bfcc1a3458881b1e5e09c75c (diff) | |
| download | master-31e0f0ae-3848e6a246192d42160034e106f838b791931dce.tar.gz master-31e0f0ae-3848e6a246192d42160034e106f838b791931dce.tar.bz2 master-31e0f0ae-3848e6a246192d42160034e106f838b791931dce.zip | |
kernel: crashlog: Avoid out-of-bounds write
vsnprintf returns the number of chars that would have been written, not
the actual number of chars written. This can lead to crashlog_buf->len
being too big which in turn can lead to get_maxlen() returning negative
numbers. The length argument of kmsg_dump_get_buffer will be casted to
a size_t which makes a negative input a big positive number allowing
kmsg_dump_get_buffer to write out of bounds.
Fix this by using vscnprintf which returns the actually written number
of chars.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 37820
5 files changed, 5 insertions, 5 deletions
diff --git a/target/linux/generic/patches-3.10/930-crashlog.patch b/target/linux/generic/patches-3.10/930-crashlog.patch index 22778c04c7..4aba013eda 100644 --- a/target/linux/generic/patches-3.10/930-crashlog.patch +++ b/target/linux/generic/patches-3.10/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); diff --git a/target/linux/generic/patches-3.3/930-crashlog.patch b/target/linux/generic/patches-3.3/930-crashlog.patch index f6a52f3322..9a10723d76 100644 --- a/target/linux/generic/patches-3.3/930-crashlog.patch +++ b/target/linux/generic/patches-3.3/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); diff --git a/target/linux/generic/patches-3.6/930-crashlog.patch b/target/linux/generic/patches-3.6/930-crashlog.patch index 8c1a18a5db..88923993f3 100644 --- a/target/linux/generic/patches-3.6/930-crashlog.patch +++ b/target/linux/generic/patches-3.6/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); diff --git a/target/linux/generic/patches-3.8/930-crashlog.patch b/target/linux/generic/patches-3.8/930-crashlog.patch index da0d8008e4..4d0fc029d4 100644 --- a/target/linux/generic/patches-3.8/930-crashlog.patch +++ b/target/linux/generic/patches-3.8/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); diff --git a/target/linux/generic/patches-3.9/930-crashlog.patch b/target/linux/generic/patches-3.9/930-crashlog.patch index 867e5bb2f3..d20c32d0d7 100644 --- a/target/linux/generic/patches-3.9/930-crashlog.patch +++ b/target/linux/generic/patches-3.9/930-crashlog.patch @@ -166,7 +166,7 @@ + return; + + va_start(args, fmt); -+ crashlog_buf->len += vsnprintf( ++ crashlog_buf->len += vscnprintf( + &crashlog_buf->data[crashlog_buf->len], + len, fmt, args); + va_end(args); |