From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBC03368968; Wed, 20 May 2026 16:57:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779296259; cv=none; b=rJyX6XcqXnJbjF+nBxc+nOL4qhe6t2EvfbsvM32ALugPVID1kmGFQulcPtszMG7Fu0p3qv50BLuaazlXwGQTCdnqJnuftHPsuyTp+MZKw3usIE6/0ExdUgqPxRPOKSb3CWAfOml+AmViZnb67siGU2+z3B8990jHLJw34iG8YDY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779296259; c=relaxed/simple; bh=WQr+35TIzsccfnZV//4PZB27kG2X5X0R2jl8BBfvnng=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PQA/1yTDddHDlrxVX8Kse9Ke3oQu8v5baQyGXuGXhIi/T6SDvRFKEQQIxDgZaoxPHviY8kga44xfLi6q0eiePHmdGbu0ftBa3VXWdaAb+snDFaRLSqtCgR3f/iTzC8yQvyKgNPB2LqtGRclsgplDjfNt/HKkK5euVqva/5hDGag= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ulwNB3j1; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ulwNB3j1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F0401F000E9; Wed, 20 May 2026 16:57:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779296257; bh=nM0zVYarTb50y3Ia1mZxUVdmVv0RzZ0MQqBYLwD8cFY=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ulwNB3j16yaHbehp9nl60hkPfn8gQ7srDhH/AvO/JBT5woDZk7gYHW22GXnM9fndM J1fCs/OXGpWzBdbS4E5X/9lYOCx/mxfj4cWZJNaLpWkTGidIXWacckiJmcKERiclg5 OZXISUDMzlmYhx9WNLhOmaCf4/TRLRufQoGQpWKg= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, John Ogness , Petr Mladek , Sasha Levin Subject: [PATCH 7.0 0729/1146] printk_ringbuffer: Fix get_data() size sanity check Date: Wed, 20 May 2026 18:16:19 +0200 Message-ID: <20260520162204.705024252@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260520162148.390695140@linuxfoundation.org> References: <20260520162148.390695140@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: John Ogness [ Upstream commit 8e81ecbf1cb46b8d2d13e772d5924b09bd60169a ] Commit cc3bad11de6e ("printk_ringbuffer: Fix check of valid data size when blk_lpos overflows") added sanity checking to get_data() to avoid returning data of illegal sizes (too large or too small). It uses the helper function data_check_size() for the check. However, data_check_size() expects the size of the data, not the size of the data block. get_data() is providing the size of the data block. This means that if the data size (text_buf_size) is at or near the maximum legal size: sizeof(prb_data_block) + text_buf_size == DATA_SIZE(data_ring) / 2 data_check_size() will report failure because it adds sizeof(prb_data_block) to the provided size. The sanity check in get_data() is counting the data block header twice. The result is that the reader fails to read the legal record. Since get_data() subtracts the data block header size before returning, move the sanity check to after the subtraction. Luckily printk() is not vulnerable to this problem because truncate_msg() limits printk-messages to 1/4 of the ringbuffer. Indeed, by adjusting the printk_ringbuffer KUnit test, which does not use printk() and its truncate_msg() check, it is easy to see that the reader fails and the WARN_ON is triggered. Fixes: cc3bad11de6e ("printk_ringbuffer: Fix check of valid data size when blk_lpos overflows") Signed-off-by: John Ogness Reviewed-by: Petr Mladek Tested-by: Petr Mladek Link: https://patch.msgid.link/20260326133809.8045-1-john.ogness@linutronix.de Signed-off-by: Petr Mladek Signed-off-by: Sasha Levin --- kernel/printk/printk_ringbuffer.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/printk/printk_ringbuffer.c b/kernel/printk/printk_ringbuffer.c index 56c8e3d031f49..a3526bdd4e10d 100644 --- a/kernel/printk/printk_ringbuffer.c +++ b/kernel/printk/printk_ringbuffer.c @@ -1302,10 +1302,6 @@ static const char *get_data(struct prb_data_ring *data_ring, return NULL; } - /* Sanity check. Data-less blocks were handled earlier. */ - if (WARN_ON_ONCE(!data_check_size(data_ring, *data_size) || !*data_size)) - return NULL; - /* A valid data block will always be aligned to the ID size. */ if (WARN_ON_ONCE(blk_lpos->begin != ALIGN(blk_lpos->begin, sizeof(db->id))) || WARN_ON_ONCE(blk_lpos->next != ALIGN(blk_lpos->next, sizeof(db->id)))) { @@ -1319,6 +1315,10 @@ static const char *get_data(struct prb_data_ring *data_ring, /* Subtract block ID space from size to reflect data size. */ *data_size -= sizeof(db->id); + /* Sanity check the max size of the regular data block. */ + if (WARN_ON_ONCE(!data_check_size(data_ring, *data_size))) + return NULL; + return &db->data[0]; } -- 2.53.0