[kexec-tools] Backport vmcore-dmsg stack smashing in extreme case

Fri Mar 14 05:05:29 UTC 2014

commit 7f9b45002a940c3ba5604552cda4d687948cf443
Author: Arthur Zou <zzou at redhat.com>
Date:   Thu Mar 13 11:02:07 2014 +0800

    Backport vmcore-dmsg stack smashing in extreme case
    
    In exteme case vmcore-dmesg will overflow. upstream has fixed the
    some problem. so simply backport it
    
    Signed-off-by: Arthur Zou <zzou at redhat.com>
    Acked-by: WANG Chao <chaowang at redhat.com>
    Acked-by: Vivek Goyal <vgoyal at redhat.com>

 ...sg-stack-smashing-happend-in-extreme-case.patch |   43 ++++++++++++++++++++
 kexec-tools.spec                                   |    2 +
 2 files changed, 45 insertions(+), 0 deletions(-)
---

diff --git a/kexec-tools-2.0.5-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch b/kexec-tools-2.0.5-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch
new file mode 100644
index 0000000..044cb61
--- /dev/null
+++ b/kexec-tools-2.0.5-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch
@@ -0,0 +1,43 @@
+From 401e037e5e9527134c594b8923342a69ff38b7cb Mon Sep 17 00:00:00 2001
+From: Arthur Zou <zzou at redhat.com>
+Date: Wed, 12 Mar 2014 13:05:18 +0800
+Subject: [PATCH] vmcore-dmesg stack smashing happend in extreme case
+
+Description
+in dump_dmesg_structured() the out_buf size is 4096, and if the
+length is less than 4080( 4096-16 ) it won't really write out.
+Normally, after writing one or four chars to the out_buf, it will
+check the length of out_buf. But in extreme cases, 19 chars was
+written to the out_buf before checking the length. This may cause
+the stack corruption. If the length was 4079 (won't realy write out),
+and then write 19 chars to it. the out_buf will overflow.
+
+Solution
+Change 16 to 64 thus can make sure that always have 64bytes before
+moving to next records. why using 64 is that a long long int can take
+20 bytes. so the length of timestamp can be 44 ('[','.',']',' ') in
+extreme case.
+
+Signed-off-by: Arthur Zou <zzou at redhat.com>
+Acked-by: Vivek Goyal <vgoyal at redhat.com>
+Signed-off-by: Simon Horman <horms at verge.net.au>
+---
+ vmcore-dmesg/vmcore-dmesg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vmcore-dmesg/vmcore-dmesg.c b/vmcore-dmesg/vmcore-dmesg.c
+index 0345660..e15cd91 100644
+--- a/vmcore-dmesg/vmcore-dmesg.c
++++ b/vmcore-dmesg/vmcore-dmesg.c
+@@ -674,7 +674,7 @@ static void dump_dmesg_structured(int fd)
+ 			else
+ 				out_buf[len++] = c;
+ 
+-			if (len >= OUT_BUF_SIZE - 16) {
++			if (len >= OUT_BUF_SIZE - 64) {
+ 				write_to_stdout(out_buf, len);
+ 				len = 0;
+ 			}
+-- 
+1.8.4.2
+
diff --git a/kexec-tools.spec b/kexec-tools.spec
index 8c75d21..0c850e4 100644
--- a/kexec-tools.spec
+++ b/kexec-tools.spec
@@ -81,6 +81,7 @@ Patch001: kexec-tools-2.0.5-i386-fix-redefinition-error-for-e820entry.patch
 Patch601: kexec-tools-2.0.3-disable-kexec-test.patch
 Patch604: kexec-tools-2.0.3-build-makedumpfile-eppic-shared-object.patch
 Patch618: kexec-tools-2.0.4-makedumpfile-memset-in-cyclic-bitmap-initialization-introdu.patch
+Patch619: kexec-tools-2.0.5-vmcore-dmesg-stack-smashing-happend-in-extreme-case.patch
 
 %description
 kexec-tools provides /sbin/kexec binary that facilitates a new
@@ -114,6 +115,7 @@ tar -z -x -v -f %{SOURCE19}
 %patch618 -p1
 %patch000 -p1
 %patch001 -p1
+%patch619 -p1
 
 tar -z -x -v -f %{SOURCE13}
 
