[PATCH] Backport vmcore-dmsg stack smashing in extreme case

WANG Chao chaowang at redhat.com
Thu Mar 13 03:18:30 UTC 2014 

On 03/13/14 at 11:02am, Zhi Zou wrote:
> Resolves bz1071376
> 
> In exteme case vmcore-dmesg will overflow. upstream has fixed the
> some problem. so simply backport it
> 
> Signed-off-by: Arthur Zou <zzou at redhat.com>

Let's take in this patch.

Acked-by: WANG Chao <chaowang at redhat.com>

> ---
>  ...sg-stack-smashing-happend-in-extreme-case.patch | 43 ++++++++++++++++++++++
>  kexec-tools.spec                                   |  2 +
>  2 files changed, 45 insertions(+)
>  create mode 100644 kexec-tools-2.0.4-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch
> 
> diff --git a/kexec-tools-2.0.4-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch b/kexec-tools-2.0.4-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch
> new file mode 100644
> index 0000000..044cb61
> --- /dev/null
> +++ b/kexec-tools-2.0.4-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch
> @@ -0,0 +1,43 @@
> +From 401e037e5e9527134c594b8923342a69ff38b7cb Mon Sep 17 00:00:00 2001
> +From: Arthur Zou <zzou at redhat.com>
> +Date: Wed, 12 Mar 2014 13:05:18 +0800
> +Subject: [PATCH] vmcore-dmesg stack smashing happend in extreme case
> +
> +Description
> +in dump_dmesg_structured() the out_buf size is 4096, and if the
> +length is less than 4080( 4096-16 ) it won't really write out.
> +Normally, after writing one or four chars to the out_buf, it will
> +check the length of out_buf. But in extreme cases, 19 chars was
> +written to the out_buf before checking the length. This may cause
> +the stack corruption. If the length was 4079 (won't realy write out),
> +and then write 19 chars to it. the out_buf will overflow.
> +
> +Solution
> +Change 16 to 64 thus can make sure that always have 64bytes before
> +moving to next records. why using 64 is that a long long int can take
> +20 bytes. so the length of timestamp can be 44 ('[','.',']',' ') in
> +extreme case.
> +
> +Signed-off-by: Arthur Zou <zzou at redhat.com>
> +Acked-by: Vivek Goyal <vgoyal at redhat.com>
> +Signed-off-by: Simon Horman <horms at verge.net.au>
> +---
> + vmcore-dmesg/vmcore-dmesg.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/vmcore-dmesg/vmcore-dmesg.c b/vmcore-dmesg/vmcore-dmesg.c
> +index 0345660..e15cd91 100644
> +--- a/vmcore-dmesg/vmcore-dmesg.c
> ++++ b/vmcore-dmesg/vmcore-dmesg.c
> +@@ -674,7 +674,7 @@ static void dump_dmesg_structured(int fd)
> + 			else
> + 				out_buf[len++] = c;
> + 
> +-			if (len >= OUT_BUF_SIZE - 16) {
> ++			if (len >= OUT_BUF_SIZE - 64) {
> + 				write_to_stdout(out_buf, len);
> + 				len = 0;
> + 			}
> +-- 
> +1.8.4.2
> +
> diff --git a/kexec-tools.spec b/kexec-tools.spec
> index 1a8f849..ba4589c 100644
> --- a/kexec-tools.spec
> +++ b/kexec-tools.spec
> @@ -97,6 +97,7 @@ Patch615: kexec-tools-2.0.4-makedumpfile-Add-non-mmap-option-to-disable-mmap-man
>  Patch616: kexec-tools-2.0.4-makedumpfile-Fall-back-to-read-when-mmap-fails.patch
>  Patch617: kexec-tools-2.0.4-vmcore-dmesg-struct_val_u64-not-casting-u64-to-u32.patch
>  Patch618: kexec-tools-2.0.4-makedumpfile-Improve-progress-information-for-huge-memor.patch
> +Patch619: kexec-tools-2.0.4-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch
>  
>  %description
>  kexec-tools provides /sbin/kexec binary that facilitates a new
> @@ -146,6 +147,7 @@ tar -z -x -v -f %{SOURCE19}
>  %patch616 -p1
>  %patch617 -p1
>  %patch618 -p1
> +%patch619 -p1
>  
>  tar -z -x -v -f %{SOURCE13}
>  
> -- 
> 1.8.4.2
> 
> _______________________________________________
> kexec mailing list
> kexec at lists.fedoraproject.org
> https://lists.fedoraproject.org/mailman/listinfo/kexec

More information about the kexec mailing list