public inbox for kexec@lists.infradead.org
 help / color / mirror / Atom feed
From: Dmitry Trikoz <Dmitry.Trikoz@stratus.com>
To: kexec@lists.infradead.org, horms@verge.net.au
Subject: Kexec corrupts command line in x86-linux-setup.c setup_edd_info()
Date: Thu, 24 May 2012 13:26:51 -0400	[thread overview]
Message-ID: <4FBE6F5B.2070503@stratus.com> (raw)

Hi,
I've been chasing strange problem with kdump kernel. It was crashing on 
boot without any messages to the console.
Finally I found that kdump kernel command line was corrupt.
Digging down I found the problem in  setup_edd_info() and 
add_edd_entry(). It doesn't check for array size of
real_mode->eddbuf[] and real_mode->edd_mbr_sig_buffer[]
So when it overruns eddbuf[] it corrupts command_line that follows it.

Here is the fix:

--- a/kexec-tools/kexec/arch/i386/x86-linux-setup.c
+++ b/kexec-tools/kexec/arch/i386/x86-linux-setup.c
@@ -275,9 +275,9 @@ static int add_edd_entry(struct 
x86_linux_param_header *real_mode,
                                 "must not be NULL", __FUNCTION__);
                 return -1;
         }
-
-       edd_info = &real_mode->eddbuf[*current_edd];
-       memset(edd_info, 0, sizeof(struct edd_info));
+       if (*current_mbr >= EDD_MBR_SIG_MAX) {
+               return 0;
+       }

         /* extract the device number */
         if (sscanf(basename(sysfs_name), "int13_dev%hhx", &devnum) != 1) {
@@ -293,12 +293,21 @@ static int add_edd_entry(struct 
x86_linux_param_header *real_mode,
                 dbgprintf("EDD Device 0x%x: mbr_sig=0x%x\n", devnum, 
mbr_sig);
         }

+       if (*current_edd >= EDDMAXNR) {
+               return 0;
+       }
+
+       edd_info = &real_mode->eddbuf[*current_edd];
+       memset(edd_info, 0, sizeof(struct edd_info));
+
         /* set the device number */
         edd_info->device = devnum;

         /* set the version */
-       if (file_scanf(sysfs_name, "version", "0x%hhx", &version) != 1)
+       if (file_scanf(sysfs_name, "version", "0x%hhx", &version) != 1) {
+               fprintf(stderr, "sysfs_name %s version file error\n", 
sysfs_name);
                 return -1;
+       }

         edd_info->version = version;

Sincerely,

Dmitry Trikoz

dmitry.trikoz@stratus.com


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

                 reply	other threads:[~2012-05-24 17:27 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4FBE6F5B.2070503@stratus.com \
    --to=dmitry.trikoz@stratus.com \
    --cc=horms@verge.net.au \
    --cc=kexec@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox