Re: [PATCH] printk: fix buffer overflow potential for print_text()

From: Sergey Senozhatsky
Date: Mon Jan 18 2021 - 19:46:13 EST


On (21/01/15 13:07), Petr Mladek wrote:
> On Fri 2021-01-15 13:04:37, Petr Mladek wrote:
> > On Thu 2021-01-14 18:10:12, John Ogness wrote:
> > > Before commit b6cf8b3f3312 ("printk: add lockless ringbuffer"),
> > > msg_print_text() would only write up to size-1 bytes into the
> > > provided buffer. Some callers expect this behavior and append
> > > a terminator to returned string. In particular:
> > >
> > > arch/powerpc/xmon/xmon.c:dump_log_buf()
> > > arch/um/kernel/kmsg_dump.c:kmsg_dumper_stdout()
> > >
> > > msg_print_text() has been replaced by record_print_text(), which
> > > currently fills the full size of the buffer. This causes a
> > > buffer overflow for the above callers.
> > >
> > > Change record_print_text() so that it will only use size-1 bytes
> > > for text data. Also, for paranoia sakes, add a terminator after
> > > the text data.
> > >
> > > And finally, document this behavior so that it is clear that only
> > > size-1 bytes are used and a terminator is added.
> > >
> > > Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
> > > Signed-off-by: John Ogness <john.ogness@xxxxxxxxxxxxx>

John, how did you spot these problems?

FWIW, Acked-by: Sergey Senozhatsky <sergey.senozhatsky@xxxxxxxxx>

> I forgot one thing. We should add stable here:
>
> Cc: stable@xxxxxxxxxxxxxxx # 5.10+

Good point.

-ss