Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1314021pxv; Fri, 25 Jun 2021 10:01:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwbbETefb3nXMGrUAicYnnvIIaaBnkdx7gfmTHNwa+y4WIdkHJaAl20nLalXe4WK2xiNJT6 X-Received: by 2002:a17:907:2045:: with SMTP id pg5mr12026400ejb.5.1624640498828; Fri, 25 Jun 2021 10:01:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624640498; cv=none; d=google.com; s=arc-20160816; b=k+zbv0TRuDzYI62y1oU1jHQ4STY2qh74KhgEvMtJGx2JU1T+oZVEUDLZABM3BUiiql FVimDOgpMIF0qxkOtwGd5WiOkqsEsBgWot+9MCMcF7mBRGayJWZGzMnG7M5DGYW/x3lV VyO8Ng+EQd84AUgoEE1I0w9X7hYKNh4+9sIX79h85g+MOs3nI2ESJGmUH9hYDys5LgJA 3kY+U1n64hvPacqptoc1mQACug2lalZ8NNm58qf0/BFWpR/FOHH5DW9iZmhO7G3/sdO5 UmhKxpoHAeNXipokj5hKOO7vnTEm/9rOm6ngljp7gdqCaXRSJcQBKqMsTQ6gCO9oVtr7 +68A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=dYN6EMFLgQX3SQifIerlhJBBSliTUJ7zkpmx7YGWdV8=; b=YYT2F1g0dSYjAKBhn3sv3+RFgyx+Q+/pJMrULQvrBnWRjZ36YKqbM65e579bzP0Vfo D77R+WmrLsgrxycd9yVGbxjYme9bhZeRvVK9xQnYfRxKIEePQlExtw9xgWuRwyhZrqeK 8KklDgYzn+C5W9uqzOEk1D/zBti2BmQiwPxU8GdoBiZEtf+6BdWlsJPlgHJ1l4CLg9Pr UfWBDDKU/pJnwpLfonIqqxYGvP8FUly0ZwYs8P9LNLHuqagU2pKPQvwwvvD8+jTL7iNb glKjA2DqoS/CyDHW0KB+5ywYmyF8ax2ZPQdjPNnx2t6VUBx+0ln1Jmn3h8mJqZW1/S2U oMBQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=windriver.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id eb9si4866378ejc.720.2021.06.25.10.01.15; Fri, 25 Jun 2021 10:01:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=windriver.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230063AbhFYRB0 (ORCPT + 99 others); Fri, 25 Jun 2021 13:01:26 -0400 Received: from mail5.windriver.com ([192.103.53.11]:47234 "EHLO mail5.wrs.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230001AbhFYRBZ (ORCPT ); Fri, 25 Jun 2021 13:01:25 -0400 X-Greylist: delayed 3258 seconds by postgrey-1.27 at vger.kernel.org; Fri, 25 Jun 2021 13:01:25 EDT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.corp.ad.wrs.com [147.11.82.252]) by mail5.wrs.com (8.15.2/8.15.2) with ESMTPS id 15PG42LQ016327 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 25 Jun 2021 09:04:02 -0700 Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Fri, 25 Jun 2021 09:04:01 -0700 Received: from pek-lpd-ccm2.wrs.com (128.224.179.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2242.10 via Frontend Transport; Fri, 25 Jun 2021 09:04:00 -0700 From: Yun Zhou To: CC: , , , Subject: [PATCH 1/2] seq_buf: fix overflow when length is bigger than 8 Date: Fri, 25 Jun 2021 23:53:47 +0800 Message-ID: <20210625155348.58266-1-yun.zhou@windriver.com> X-Mailer: git-send-email 2.26.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There's two variables being increased in that loop (i and j), and i follows the raw data, and j follows what is being written into the buffer. We should compare 'i' to MAX_MEMHEX_BYTES or compare 'j' to HEX_CHARS. Otherwise, if 'j' goes bigger than HEX_CHARS, it will overflow the destination buffer. This bug was introduced by commit 6d2289f3faa71dcc ("tracing: Make trace_seq_putmem_hex() more robust") Signed-off-by: Yun Zhou --- lib/seq_buf.c | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/lib/seq_buf.c b/lib/seq_buf.c index 6aabb609dd87..aa2f666e584e 100644 --- a/lib/seq_buf.c +++ b/lib/seq_buf.c @@ -210,7 +210,8 @@ int seq_buf_putmem(struct seq_buf *s, const void *mem, unsigned int len) * seq_buf_putmem_hex - write raw memory into the buffer in ASCII hex * @s: seq_buf descriptor * @mem: The raw memory to write its hex ASCII representation of - * @len: The length of the raw memory to copy (in bytes) + * @len: The length of the raw memory to copy (in bytes). + * It can be not larger than 8. * * This is similar to seq_buf_putmem() except instead of just copying the * raw memory into the buffer it writes its ASCII representation of it @@ -228,27 +229,19 @@ int seq_buf_putmem_hex(struct seq_buf *s, const void *mem, WARN_ON(s->size == 0); - while (len) { - start_len = min(len, HEX_CHARS - 1); + start_len = min(len, MAX_MEMHEX_BYTES); #ifdef __BIG_ENDIAN - for (i = 0, j = 0; i < start_len; i++) { + for (i = 0, j = 0; i < start_len; i++) { #else - for (i = start_len-1, j = 0; i >= 0; i--) { + for (i = start_len-1, j = 0; i >= 0; i--) { #endif - hex[j++] = hex_asc_hi(data[i]); - hex[j++] = hex_asc_lo(data[i]); - } - if (WARN_ON_ONCE(j == 0 || j/2 > len)) - break; - - /* j increments twice per loop */ - len -= j / 2; - hex[j++] = ' '; - - seq_buf_putmem(s, hex, j); - if (seq_buf_has_overflowed(s)) - return -1; + hex[j++] = hex_asc_hi(data[i]); + hex[j++] = hex_asc_lo(data[i]); } + + seq_buf_putmem(s, hex, j); + if (seq_buf_has_overflowed(s)) + return -1; return 0; } -- 2.26.1