From: Petr Mladek <pmladek@suse.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
Steven Rostedt <rostedt@goodmis.org>,
John Ogness <john.ogness@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
Sven Schnelle <svens@linux.ibm.com>
Subject: [GIT PULL] printk urgent fix for 5.11-rc6
Date: Mon, 25 Jan 2021 15:42:29 +0100 [thread overview]
Message-ID: <YA7Y1WIjM3Oy2O7Y@alley> (raw)
Linus,
please pull an urgent fixup from
git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux.git tags/printk-for-5.11-urgent-fixup
===============================
- Prevent writing the trailing '\0' past the reader buffer.
===============================
The fix of a potential buffer overflow in 5.11-rc5 introduced another one.
The trailing '\0' might be written up to the message "len" past the buffer.
Fortunately, it is not that easy to hit[*].
Most readers use 1kB buffers for a single message. Typical messages fit into
the temporary buffer with enough reserve.
Also readers do not rely on the '\0'. It is related to the previous
fix. Some readers required the space for the trailing '\0'. We decided
to write it there to avoid such regressions in the future.
The most realistic victims are message dumpers using kmsg_dump_get_buffer().
They are filling the entire buffer with as many messages as possible. They
are typically used when handling panic().
The problem has been reported twice by a test suite and a robot:
https://lore.kernel.org/r/yt9dk0s48y70.fsf@linux.ibm.com
https://lore.kernel.org/r/000000000000bc67d205b9b8feb2@google.com
[*] This is not an excuse for such a mistake. We really should have caught
it during development,review, or testing.
----------------------------------------------------------------
John Ogness (1):
printk: fix string termination for record_print_text()
Petr Mladek (1):
Merge branch 'printk-rework' into for-linus
kernel/printk/printk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
next reply other threads:[~2021-01-25 17:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-25 14:42 Petr Mladek [this message]
2021-01-25 20:25 ` [GIT PULL] printk urgent fix for 5.11-rc6 pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YA7Y1WIjM3Oy2O7Y@alley \
--to=pmladek@suse.com \
--cc=john.ogness@linutronix.de \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=sergey.senozhatsky@gmail.com \
--cc=svens@linux.ibm.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.