* [PATCH] kernel/kexec.c: use vscnprintf() instead of vsnprintf() in vmcoreinfo_append_str()
@ 2013-10-09 8:29 ` Chen Gang
0 siblings, 0 replies; 3+ messages in thread
From: Chen Gang @ 2013-10-09 8:29 UTC (permalink / raw)
To: Eric W. Biederman
Cc: kexec, linux-kernel@vger.kernel.org, Al Viro, Andrew Morton,
Joe Perches, Richard Weinberger
vsnprintf() may let 'r' larger than sizeof(buf), in this case, if 'r'
is also less than "vmcoreinfo_max_size - vmcoreinfo_size" (left size of
destination buffer), next memcpy() will read the unexpected addresses.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
---
kernel/kexec.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 2a74f30..0abcd68 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -1533,7 +1533,7 @@ void vmcoreinfo_append_str(const char *fmt, ...)
size_t r;
va_start(args, fmt);
- r = vsnprintf(buf, sizeof(buf), fmt, args);
+ r = vscnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
r = min(r, vmcoreinfo_max_size - vmcoreinfo_size);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH] kernel/sysctl_binary.c: use scnprintf() instead of snprintf()
2013-10-09 8:29 ` Chen Gang
(?)
@ 2013-10-09 9:03 ` Chen Gang
-1 siblings, 0 replies; 3+ messages in thread
From: Chen Gang @ 2013-10-09 9:03 UTC (permalink / raw)
To: Eric W. Biederman, Al Viro, xi.wang
Cc: nicolas.dichtel, linux-kernel@vger.kernel.org, Andrew Morton,
Joe Perches, Richard Weinberger
snprintf() will return the 'ideal' length which may be larger than real
buffer length, if we only want to use real length, need use scnprintf()
instead of.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
---
kernel/sysctl_binary.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
index b609213..653cbbd 100644
--- a/kernel/sysctl_binary.c
+++ b/kernel/sysctl_binary.c
@@ -1024,7 +1024,7 @@ static ssize_t bin_intvec(struct file *file,
if (get_user(value, vec + i))
goto out_kfree;
- str += snprintf(str, end - str, "%lu\t", value);
+ str += scnprintf(str, end - str, "%lu\t", value);
}
result = kernel_write(file, buffer, str - buffer, 0);
@@ -1095,7 +1095,7 @@ static ssize_t bin_ulongvec(struct file *file,
if (get_user(value, vec + i))
goto out_kfree;
- str += snprintf(str, end - str, "%lu\t", value);
+ str += scnprintf(str, end - str, "%lu\t", value);
}
result = kernel_write(file, buffer, str - buffer, 0);
@@ -1205,7 +1205,7 @@ static ssize_t bin_dn_node_address(struct file *file,
if (get_user(dnaddr, (__le16 __user *)newval))
goto out;
- len = snprintf(buf, sizeof(buf), "%hu.%hu",
+ len = scnprintf(buf, sizeof(buf), "%hu.%hu",
le16_to_cpu(dnaddr) >> 10,
le16_to_cpu(dnaddr) & 0x3ff);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 3+ messages in thread