aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2013-08-21 20:59:25 +0000
committerFelix Fietkau <nbd@openwrt.org>2013-08-21 20:59:25 +0000
commitedc8daeffeef93f2bd705e0dca33539f55b506fb (patch)
treeda8ca9958a4d4707fd9335916a0291cec173a2c4
parent69761e25bebfd5dc61be742c2c046995a9b03849 (diff)
downloadupstream-edc8daeffeef93f2bd705e0dca33539f55b506fb.tar.gz
upstream-edc8daeffeef93f2bd705e0dca33539f55b506fb.tar.bz2
upstream-edc8daeffeef93f2bd705e0dca33539f55b506fb.zip
kernel: crashlog: Avoid out-of-bounds write
vsnprintf returns the number of chars that would have been written, not the actual number of chars written. This can lead to crashlog_buf->len being too big which in turn can lead to get_maxlen() returning negative numbers. The length argument of kmsg_dump_get_buffer will be casted to a size_t which makes a negative input a big positive number allowing kmsg_dump_get_buffer to write out of bounds. Fix this by using vscnprintf which returns the actually written number of chars. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37820 3c298f89-4303-0410-b956-a3cf2f4a3e73
-rw-r--r--target/linux/generic/patches-3.10/930-crashlog.patch2
-rw-r--r--target/linux/generic/patches-3.3/930-crashlog.patch2
-rw-r--r--target/linux/generic/patches-3.6/930-crashlog.patch2
-rw-r--r--target/linux/generic/patches-3.8/930-crashlog.patch2
-rw-r--r--target/linux/generic/patches-3.9/930-crashlog.patch2
5 files changed, 5 insertions, 5 deletions
diff --git a/target/linux/generic/patches-3.10/930-crashlog.patch b/target/linux/generic/patches-3.10/930-crashlog.patch
index 22778c04c7..4aba013eda 100644
--- a/target/linux/generic/patches-3.10/930-crashlog.patch
+++ b/target/linux/generic/patches-3.10/930-crashlog.patch
@@ -166,7 +166,7 @@
+ return;
+
+ va_start(args, fmt);
-+ crashlog_buf->len += vsnprintf(
++ crashlog_buf->len += vscnprintf(
+ &crashlog_buf->data[crashlog_buf->len],
+ len, fmt, args);
+ va_end(args);
diff --git a/target/linux/generic/patches-3.3/930-crashlog.patch b/target/linux/generic/patches-3.3/930-crashlog.patch
index f6a52f3322..9a10723d76 100644
--- a/target/linux/generic/patches-3.3/930-crashlog.patch
+++ b/target/linux/generic/patches-3.3/930-crashlog.patch
@@ -166,7 +166,7 @@
+ return;
+
+ va_start(args, fmt);
-+ crashlog_buf->len += vsnprintf(
++ crashlog_buf->len += vscnprintf(
+ &crashlog_buf->data[crashlog_buf->len],
+ len, fmt, args);
+ va_end(args);
diff --git a/target/linux/generic/patches-3.6/930-crashlog.patch b/target/linux/generic/patches-3.6/930-crashlog.patch
index 8c1a18a5db..88923993f3 100644
--- a/target/linux/generic/patches-3.6/930-crashlog.patch
+++ b/target/linux/generic/patches-3.6/930-crashlog.patch
@@ -166,7 +166,7 @@
+ return;
+
+ va_start(args, fmt);
-+ crashlog_buf->len += vsnprintf(
++ crashlog_buf->len += vscnprintf(
+ &crashlog_buf->data[crashlog_buf->len],
+ len, fmt, args);
+ va_end(args);
diff --git a/target/linux/generic/patches-3.8/930-crashlog.patch b/target/linux/generic/patches-3.8/930-crashlog.patch
index da0d8008e4..4d0fc029d4 100644
--- a/target/linux/generic/patches-3.8/930-crashlog.patch
+++ b/target/linux/generic/patches-3.8/930-crashlog.patch
@@ -166,7 +166,7 @@
+ return;
+
+ va_start(args, fmt);
-+ crashlog_buf->len += vsnprintf(
++ crashlog_buf->len += vscnprintf(
+ &crashlog_buf->data[crashlog_buf->len],
+ len, fmt, args);
+ va_end(args);
diff --git a/target/linux/generic/patches-3.9/930-crashlog.patch b/target/linux/generic/patches-3.9/930-crashlog.patch
index 867e5bb2f3..d20c32d0d7 100644
--- a/target/linux/generic/patches-3.9/930-crashlog.patch
+++ b/target/linux/generic/patches-3.9/930-crashlog.patch
@@ -166,7 +166,7 @@
+ return;
+
+ va_start(args, fmt);
-+ crashlog_buf->len += vsnprintf(
++ crashlog_buf->len += vscnprintf(
+ &crashlog_buf->data[crashlog_buf->len],
+ len, fmt, args);
+ va_end(args);