diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2021-01-25 10:19:40 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-01-25 10:19:40 -0800 |
| commit | 007ad27d7bafc6df36e1d6ad4a13f6d602376193 (patch) | |
| tree | 4d95ddea5ee549821b274295ed8038af1c341bdb /kernel | |
| parent | 6ee1d745b7c9fd573fba142a2efdad76a9f1cb04 (diff) | |
| parent | 61bb17da44a0b6d079e68872e3569bb3eda17656 (diff) | |
Merge tag 'printk-for-5.11-urgent-fixup' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux
Pull printk fix from Petr Mladek:
"The fix of a potential buffer overflow in 5.11-rc5 introduced another
one. The trailing '\0' might be written up to the message "len" past
the buffer. Fortunately, it is not that easy to hit.
Most readers use 1kB buffers for a single message. Typical messages
fit into the temporary buffer with enough reserve.
Also readers do not rely on the '\0'. It is related to the previous
fix. Some readers required the space for the trailing '\0'. We decided
to write it there to avoid such regressions in the future.
The most realistic victims are dumpers using kmsg_dump_get_buffer().
They are filling the entire buffer with as many messages as possible.
They are typically used when handling panic()"
* tag 'printk-for-5.11-urgent-fixup' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux:
printk: fix string termination for record_print_text()
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/printk/printk.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index 6639a0cfe0ac..5a95c688621f 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -1398,7 +1398,7 @@ static size_t record_print_text(struct printk_record *r, bool syslog, * not counted in the return value. */ if (buf_size > 0) - text[len] = 0; + r->text_buf[len] = 0; return len; } |