From: Vivek Goyal <vgoyal@redhat.com>
To: arthur <zzou@redhat.com>
Cc: kexec@lists.infradead.org
Subject: Re: [PATCH] vmcore-dmesg stack smashing happend in extreme case
Date: Mon, 10 Mar 2014 17:16:50 -0400 [thread overview]
Message-ID: <20140310211650.GI4352@redhat.com> (raw)
In-Reply-To: <1394443511-4243-1-git-send-email-zzou@redhat.com>
On Mon, Mar 10, 2014 at 05:25:11PM +0800, arthur wrote:
> Description
> in dump_dmesg_structured() the out_buf size is 4096, and if the
> length is less than 4080( 4096-16 ) it won't really write out.
> Normally, after writing one or four chars to the out_buf, it will
> check the length of out_buf. But in extreme cases, 19 chars was
> written to the out_buf before checking the length. This may cause
> the stack corruption. If the length was 4079 (won't realy write out),
> and then write 19 chars to it. the out_buf will overflow.
>
> Solution
> Change 16 to 32 and always check the lenth of out_buf before move to
> next record, thus can make sure that at the beginning of a message
> we always have 32 bytes of buffer.
>
> Signed-off-by: arthur <zzou@redhat.com>
> ---
> vmcore-dmesg/vmcore-dmesg.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/vmcore-dmesg/vmcore-dmesg.c b/vmcore-dmesg/vmcore-dmesg.c
> index 0345660..0d323c1 100644
> --- a/vmcore-dmesg/vmcore-dmesg.c
> +++ b/vmcore-dmesg/vmcore-dmesg.c
> @@ -674,7 +674,7 @@ static void dump_dmesg_structured(int fd)
> else
> out_buf[len++] = c;
>
> - if (len >= OUT_BUF_SIZE - 16) {
> + if (len >= OUT_BUF_SIZE - 32) {
How do you know 32 is enough and will not overflow?
> write_to_stdout(out_buf, len);
> len = 0;
> }
> @@ -682,6 +682,11 @@ static void dump_dmesg_structured(int fd)
>
> out_buf[len++] = '\n';
>
> + if (len >= OUT_BUF_SIZE - 32) {
> + write_to_stdout(out_buf, len);
> + len = 0;
> + }
Why do we need this? After last check only one extra character "\n"
has been written?
I think that this overflow is coming from following sprintf().
len += sprintf(out_buf + len, "[%5llu.%06llu] ",
(long long unsigned int)imaxdiv_sec.quot,
(long long unsigned int)imaxdiv_usec.quot);
So we are printing 2 long long unsigned int and 3 more chars "[] ". I
Max long long unsigned int is (2^64 -1) = 18446744073709551615
Above takes 20 bytes. So total max length can be 20 + 20 + 3 = 43.
I think just leave 64bytes of buffer before we enter the next message
and that should be fine.
And we don't have to do this twice. Just do it once inside innermost
for loop.
Thanks
Vivek
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2014-03-10 21:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-10 9:25 [PATCH] vmcore-dmesg stack smashing happend in extreme case arthur
2014-03-10 21:16 ` Vivek Goyal [this message]
2014-03-11 1:42 ` Zhi Zou
2014-03-11 13:37 ` Vivek Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140310211650.GI4352@redhat.com \
--to=vgoyal@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=zzou@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox