On 08/11/2017 03:10 AM, Prakash Gupta wrote:
> name[] in cma_debugfs_add_one() can only accommodate 16 chars including
> NULL to store sprintf output. It's common for cma device name to be larger
> than 15 chars. This can cause stack corrpution. If the gcc stack protector
> is turned on, this can cause a panic due to stack corruption.
>
> Below is one example trace:
>
> Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in:
> ffffff8e69a75730
> Call trace:
> [<ffffff8e68289504>] dump_backtrace+0x0/0x2c4
> [<ffffff8e682897e8>] show_stack+0x20/0x28
> [<ffffff8e685ea808>] dump_stack+0xb8/0xf4
> [<ffffff8e683c454c>] panic+0x154/0x2b0
> [<ffffff8e682a724c>] print_tainted+0x0/0xc0
> [<ffffff8e69a75730>] cma_debugfs_init+0x274/0x290
> [<ffffff8e682839ec>] do_one_initcall+0x5c/0x168
> [<ffffff8e69a50e24>] kernel_init_freeable+0x1c8/0x280
>
> Fix the short sprintf buffer in cma_debugfs_add_one() by using scnprintf()
> instead of sprintf().
>
Acked-by: Laura Abbott <labbott@xxxxxxxxxx>
> fixes: f318dd083c81 ("cma: Store a name in the cma structure")
> Signed-off-by: Prakash Gupta <guptap@xxxxxxxxxxxxxx>
> ---
> mm/cma_debug.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/cma_debug.c b/mm/cma_debug.c
> index 595b757..c03ccbc 100644
> --- a/mm/cma_debug.c
> +++ b/mm/cma_debug.c
> @@ -167,7 +167,7 @@ static void cma_debugfs_add_one(struct cma *cma, int idx)
> char name[16];
> int u32s;
>
> - sprintf(name, "cma-%s", cma->name);
> + scnprintf(name, sizeof(name), "cma-%s", cma->name);
>
> tmp = debugfs_create_dir(name, cma_debugfs_root);
>
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
