From: Andrew Morton <akpm@linux-foundation.org>
To: Mikulas Patocka <mpatocka@redhat.com>
Cc: torvalds@linux-foundation.org, linux-kernel@vger.kernel.org,
stable@kernel.org
Subject: Re: [PATCH] Fix memory corruption in console selection
Date: Mon, 2 Feb 2009 15:54:48 -0800 [thread overview]
Message-ID: <20090202155448.e73cbdbd.akpm@linux-foundation.org> (raw)
In-Reply-To: <Pine.LNX.4.64.0901301516190.2813@hs20-bc2-1.build.redhat.com>
On Fri, 30 Jan 2009 15:27:14 -0500 (EST)
Mikulas Patocka <mpatocka@redhat.com> wrote:
> [ I don't know who is the console maintainer or if there is any, so I'm
> posting this to Linus ]
>
>
> Fix an off-by-two memory error in console selection.
>
> The loop below goes from sel_start to sel_end (inclusive), so it writes
> one more character. This one more character was added to the allocated
> size (+1), but it was not multiplied by an UTF-8 multiplier.
>
> This patch fixes a memory corruption when UTF-8 console is used and the
> user selects a few characters, all of them 3-byte in UTF-8 (for example a
> frame line).
>
> When memory redzones are enabled, a redzone corruption is reported. When
> they are not enabled, trashing of random memory occurs.
>
> Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
>
> ---
> drivers/char/selection.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Index: linux-2.6.29-rc3-devel/drivers/char/selection.c
> ===================================================================
> --- linux-2.6.29-rc3-devel.orig/drivers/char/selection.c 2009-01-30 21:03:07.000000000 +0100
> +++ linux-2.6.29-rc3-devel/drivers/char/selection.c 2009-01-30 21:03:38.000000000 +0100
> @@ -268,7 +268,7 @@ int set_selection(const struct tiocl_sel
>
> /* Allocate a new buffer before freeing the old one ... */
> multiplier = use_unicode ? 3 : 1; /* chars can take up to 3 bytes */
> - bp = kmalloc((sel_end-sel_start)/2*multiplier+1, GFP_KERNEL);
> + bp = kmalloc(((sel_end-sel_start)/2+1)*multiplier, GFP_KERNEL);
> if (!bp) {
> printk(KERN_WARNING "selection: kmalloc() failed\n");
> clear_selection();
The patch is now in mainline for 2.6.29, as
878b8619f711280fd05845e21956434b5e588cc4.
It appears to be applicable to earlier kernels as far back as 2.6.25
(at least). But the -stable maintainers were not informed of this.
An appropriate way of flagging this is to add
Cc: <stable@kernel.org>
to the changelog.
Please, people - we all need to think about this, to prevent stuff from
falling through cracks.
prev parent reply other threads:[~2009-02-02 23:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-30 20:27 [PATCH] Fix memory corruption in console selection Mikulas Patocka
2009-02-02 23:54 ` Andrew Morton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090202155448.e73cbdbd.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.