Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752922AbbETLAc (ORCPT ); Wed, 20 May 2015 07:00:32 -0400 Received: from mailout4.w1.samsung.com ([210.118.77.14]:23623 "EHLO mailout4.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751524AbbETLAM (ORCPT ); Wed, 20 May 2015 07:00:12 -0400 X-AuditID: cbfec7f4-f79c56d0000012ee-1a-555c693a1e6a From: Marcin Niesluchowski To: Andrew Morton , Petr Mladek , Jan Kara , "Steven Rostedt (Red Hat)" , Alex Elder , "Luis R. Rodriguez" , Peter Hurley , Joe Perches , Kay Sievers Cc: linux-kernel@vger.kernel.org, =?UTF-8?q?=C5=81ukasz=20Stelmach?= , Karol Lewandowski , Marcin Niesluchowski Subject: [PATCH] printk: Remove possible overflow in user read buffer Date: Wed, 20 May 2015 12:59:48 +0200 Message-id: <1432119588-22209-1-git-send-email-m.niesluchow@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMLMWRmVeSWpSXmKPExsVy+t/xa7pWmTGhBr9/MlrMWb+GzeJYwz1m i9nTm5ksZt9/zGLR+Gkus8WtVc/ZLW4eWsFocXnXHDaLQ2d/sFg8P7mX2eLYpX+MFgv/b2ay 2NfxgMmB16Nl3y12jxV/1rN53Lm2h83jxIzfLB5fVl1j9ujbsorRY/2WqyweZxYcYff4vEnO 4+N6zwCuKC6blNSczLLUIn27BK6MybO+sRa85q+YMukDYwPjRJ4uRk4OCQETiePtcxkhbDGJ C/fWs3UxcnEICSxllJi9fAE7hNPMJHH+8W6wKjYBU4m2ZXvAEiICJ5kkZrdtZQdJMAscYpS4 c9ICxBYWcJVYuLYVrIFFQFXi2KplYDW8Ah4SLR8msUOsk5M4eWwy6wRG7gWMDKsYRVNLkwuK k9JzDfWKE3OLS/PS9ZLzczcxQoLyyw7GxcesDjEKcDAq8fCeOBQdKsSaWFZcmQu0lINZSYT3 alpMqBBvSmJlVWpRfnxRaU5q8SFGaQ4WJXHeubvehwgJpCeWpGanphakFsFkmTg4pRoYhf4E XV/gy6tyJuPJpsuLVvZr/7G6WNrJM6s1vtBlqcheSb+a8hSDok+muxJunmn/52oTM1N+a8TH y5kXlStCFk2wsznFmvv14SZZGWHlf2rn7Wyu6xU+3bVJnIcxt/+t/ouq2So/inrEsqZ7RZ9V NnYtz7+bnPP7xzv2Jw5pB3Z8DBaSEFdUYinOSDTUYi4qTgQAeNiDDEYCAAA= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2201 Lines: 76 Reading message with dict may cause user buffer overflow due to no limits of written dict and hardcoded user read buffer size. As limits of dict are not clear, it may be possible in extreme use case to trigger it (e.g. by driver passing some dict parameters from userland or other module logging large key-value data). Truncate dict read by user when its size would cause user read buffer to overflow. Bug was found during work on extension of kmsg enabling writing dict from userspace. Signed-off-by: Marcin Niesluchowski --- kernel/printk/printk.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index c099b08..b61602d 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -505,6 +505,7 @@ int check_syslog_permissions(int type, bool from_file) return security_syslog(type); } +#define USER_READ_LOG_BUF_LEN 8192 /* /dev/kmsg - userspace message inject/listen interface */ struct devkmsg_user { @@ -512,7 +513,7 @@ struct devkmsg_user { u32 idx; enum log_flags prev; struct mutex lock; - char buf[8192]; + char buf[USER_READ_LOG_BUF_LEN]; }; static ssize_t devkmsg_write(struct kiocb *iocb, struct iov_iter *from) @@ -648,21 +649,29 @@ static ssize_t devkmsg_read(struct file *file, char __user *buf, unsigned char c = log_dict(msg)[i]; if (line) { + if (len >= USER_READ_LOG_BUF_LEN-1) + break; user->buf[len++] = ' '; line = false; } if (c == '\0') { + if (len >= USER_READ_LOG_BUF_LEN-1) + break; user->buf[len++] = '\n'; line = true; continue; } if (c < ' ' || c >= 127 || c == '\\') { + if (len >= USER_READ_LOG_BUF_LEN-4) + break; len += sprintf(user->buf + len, "\\x%02x", c); continue; } + if (len >= USER_READ_LOG_BUF_LEN-1) + break; user->buf[len++] = c; } user->buf[len++] = '\n'; -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/