From: "Arve Hjønnevåg" <arve@android.com>
To: linux-kernel@vger.kernel.org
Cc: "Arve Hjønnevåg" <arve@android.com>,
"Anton Vorontsov" <cbouatmailru@gmail.com>,
"Colin Cross" <ccross@android.com>,
"Kees Cook" <keescook@chromium.org>,
"Tony Luck" <tony.luck@intel.com>
Subject: [PATCH] pstore/ram: Fix bounds checks for mem_size, record_size, console_size and ftrace_size
Date: Tue, 11 Dec 2012 17:49:24 -0800 [thread overview]
Message-ID: <1355276964-2929-1-git-send-email-arve@android.com> (raw)
The bounds check in ramoops_init_prz was incorrect and ramoops_init_przs
had no check. Additionally, ramoops_init_przs allows record_size to be 0,
but ramoops_pstore_write_buf would always crash in this case.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
---
fs/pstore/ram.c | 18 ++++++++++++++++--
1 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
index 1a4f6da..eb3dbff 100644
--- a/fs/pstore/ram.c
+++ b/fs/pstore/ram.c
@@ -189,7 +189,7 @@ static int notrace ramoops_pstore_write_buf(enum pstore_type_id type,
struct pstore_info *psi)
{
struct ramoops_context *cxt = psi->data;
- struct persistent_ram_zone *prz = cxt->przs[cxt->dump_write_cnt];
+ struct persistent_ram_zone *prz;
size_t hlen;
if (type == PSTORE_TYPE_CONSOLE) {
@@ -226,6 +226,11 @@ static int notrace ramoops_pstore_write_buf(enum pstore_type_id type,
if (part != 1)
return -ENOSPC;
+ if (!cxt->przs)
+ return -ENOSPC;
+
+ prz = cxt->przs[cxt->dump_write_cnt];
+
hlen = ramoops_write_kmsg_hdr(prz);
if (size + hlen > prz->buffer_size)
size = prz->buffer_size - hlen;
@@ -296,6 +301,11 @@ static int ramoops_init_przs(struct device *dev, struct ramoops_context *cxt,
if (!cxt->record_size)
return 0;
+ if (*paddr + dump_mem_sz - cxt->phys_addr > cxt->size) {
+ dev_err(dev, "no room for dumps\n");
+ return -ENOMEM;
+ }
+
cxt->max_dump_cnt = dump_mem_sz / cxt->record_size;
if (!cxt->max_dump_cnt)
return -ENOMEM;
@@ -333,8 +343,12 @@ static int ramoops_init_prz(struct device *dev, struct ramoops_context *cxt,
if (!sz)
return 0;
- if (*paddr + sz > *paddr + cxt->size)
+ if (*paddr + sz - cxt->phys_addr > cxt->size) {
+ dev_err(dev, "no room for mem region (0x%zx@0x%llx) in (0x%lx@0x%llx)\n",
+ sz, (unsigned long long)*paddr,
+ cxt->size, (unsigned long long)cxt->phys_addr);
return -ENOMEM;
+ }
*prz = persistent_ram_new(*paddr, sz, sig, cxt->ecc_size);
if (IS_ERR(*prz)) {
--
1.7.7.3
next reply other threads:[~2012-12-12 1:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-12 1:49 Arve Hjønnevåg [this message]
2012-12-13 4:01 ` [PATCH] pstore/ram: Fix bounds checks for mem_size, record_size, console_size and ftrace_size Anton Vorontsov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1355276964-2929-1-git-send-email-arve@android.com \
--to=arve@android.com \
--cc=cbouatmailru@gmail.com \
--cc=ccross@android.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.