mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
b2a127bf8c
This patch corrects a buffer overflow in kernels from 3.0 to 3.4 when calling log_prefix() function from call_console_drivers(). This bug existed in previous releases but has been revealed with commit162a7e7500(2.6.39 => 3.0) that made changes about how to allocate memory for early printk buffer (use of memblock_alloc). It disappears with commit7ff9554bb5(3.4 => 3.5) that does a refactoring of printk buffer management. In log_prefix(), the access to "p[0]", "p[1]", "p[2]" or "simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this function is called from call_console_drivers by passing "&LOG_BUF(cur_index)" where the index must be masked to do not exceed the buffer's boundary. The trick is to prepare in call_console_drivers() a buffer with the necessary data (PRI field of syslog message) to be safely evaluated in log_prefix(). This patch can be applied to stable kernel branches 3.0.y, 3.2.y and 3.4.y. Without this patch, one can freeze a server running this loop from shell : $ export DUMMY=`cat /dev/urandom | tr -dc '12345AZERTYUIOPQSDFGHJKLMWXCVBNazertyuiopqsdfghjklmwxcvbn' | head -c255` $ while true do ; echo $DUMMY > /dev/kmsg ; done The "server freeze" depends on where memblock_alloc does allocate printk buffer : if the buffer overflow is inside another kernel allocation the problem may not be revealed, else the server may hangs up. Signed-off-by: Alexandre SIMON <Alexandre.Simon@univ-lorraine.fr> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
58 lines
2 KiB
C
58 lines
2 KiB
C
/* Syslog internals
|
|
*
|
|
* Copyright 2010 Canonical, Ltd.
|
|
* Author: Kees Cook <kees.cook@canonical.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2, or (at your option)
|
|
* any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; see the file COPYING. If not, write to
|
|
* the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#ifndef _LINUX_SYSLOG_H
|
|
#define _LINUX_SYSLOG_H
|
|
|
|
/* Close the log. Currently a NOP. */
|
|
#define SYSLOG_ACTION_CLOSE 0
|
|
/* Open the log. Currently a NOP. */
|
|
#define SYSLOG_ACTION_OPEN 1
|
|
/* Read from the log. */
|
|
#define SYSLOG_ACTION_READ 2
|
|
/* Read all messages remaining in the ring buffer. */
|
|
#define SYSLOG_ACTION_READ_ALL 3
|
|
/* Read and clear all messages remaining in the ring buffer */
|
|
#define SYSLOG_ACTION_READ_CLEAR 4
|
|
/* Clear ring buffer. */
|
|
#define SYSLOG_ACTION_CLEAR 5
|
|
/* Disable printk's to console */
|
|
#define SYSLOG_ACTION_CONSOLE_OFF 6
|
|
/* Enable printk's to console */
|
|
#define SYSLOG_ACTION_CONSOLE_ON 7
|
|
/* Set level of messages printed to console */
|
|
#define SYSLOG_ACTION_CONSOLE_LEVEL 8
|
|
/* Return number of unread characters in the log buffer */
|
|
#define SYSLOG_ACTION_SIZE_UNREAD 9
|
|
/* Return size of the log buffer */
|
|
#define SYSLOG_ACTION_SIZE_BUFFER 10
|
|
|
|
#define SYSLOG_FROM_CALL 0
|
|
#define SYSLOG_FROM_FILE 1
|
|
|
|
/*
|
|
* Syslog priority (PRI) maximum length in char : '<[0-9]{1,3}>'
|
|
* See RFC5424 for details
|
|
*/
|
|
#define SYSLOG_PRI_MAX_LENGTH 5
|
|
|
|
int do_syslog(int type, char __user *buf, int count, bool from_file);
|
|
|
|
#endif /* _LINUX_SYSLOG_H */
|