| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 Jan 2021 22:41:23 +0100
From: Sven Schnelle <svens@...ux.ibm.com>
To: John Ogness <john.ogness@...utronix.de>
Cc: Petr Mladek <pmladek@...e.com>,
Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] printk: fix buffer overflow potential for print_text()
Sven Schnelle <svens@...ux.ibm.com> writes:
> John Ogness <john.ogness@...utronix.de> writes:
>
>> On 2021-01-22, Sven Schnelle <svens@...ux.ibm.com> wrote:
> I was able to reproduce it in a virtual machine where i have a few more
> ways to debug. What i got was:
>
> 01: -> 00000000001B8814" MVI 92001000 >> 000000000163F1CD CC 2
>
> That's a watchpoint telling me that the code at 0x1b8814 wants to store
> one byte to 0x163f1cd, which is the second byte of console_drivers.
>
> gdb tells me about 0x1b8814:
>
> (gdb) list *(0x1b8814)
> 0x1b8814 is in record_print_text (/home/svens/ibmgit/linux/kernel/printk/printk.c:1402).
> 1397 * If a buffer was provided, it will be terminated. Space for the
> 1398 * string terminator is guaranteed to be available. The terminator is
> 1399 * not counted in the return value.
> 1400 */
> 1401 if (buf_size > 0)
> 1402 text[len] = 0;
I don't think i have really understood how all the printk magic works,
but using r->text_buf[len] seems to be the correct place to put the zero byte
in that case?
> 1403
> 1404 return len;
> 1405 }
> 1406
>
Powered by blists - more mailing lists