[GIT PULL] vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced pointers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Linus (aka Greg),

It was reported that trace_printk() was not reporting properly
values that came after a dereference pointer.

trace_printk() utilizes vbin_printf() and bstr_printf() to keep the
overhead of tracing down. vbin_printf() does not do any conversions
and just stors the string format and the raw arguments into the
buffer. bstr_printf() is used to read the buffer and does the conversions
to complete the printf() output.

This can be troublesome with dereferenced pointers because the reference
may be different from the time vbin_printf() is called to the time
bstr_printf() is called. To fix this, a prior commit changed vbin_printf()
to convert dereferenced pointers into strings and load the converted
string into the buffer. But the change to bstr_printf() had an off-by-one
error and didn't account for the nul character at the end of the string
and this corrupted the rest of the values in the format that came after
a dereferenced pointer.


Please pull the latest trace-v4.19-rc5 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git
trace-v4.19-rc5

Tag SHA1: b5fc80d980ae316323e88c165084deef39afd168
Head SHA1: 62165600ae73ebd76e2d9b992b36360408d570d8


Steven Rostedt (VMware) (1):
      vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced pointers

----
 lib/vsprintf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
---------------------------
commit 62165600ae73ebd76e2d9b992b36360408d570d8
Author: Steven Rostedt (VMware) <rostedt@xxxxxxxxxxx>
Date:   Fri Oct 5 10:08:03 2018 -0400

    vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced pointers
    
    The functions vbin_printf() and bstr_printf() are used by trace_printk() to
    try to keep the overhead down during printing. trace_printk() uses
    vbin_printf() at the time of execution, as it only scans the fmt string to
    record the printf values into the buffer, and then uses vbin_printf() to do
    the conversions to print the string based on the format and the saved
    values in the buffer.
    
    This is an issue for dereferenced pointers, as before commit 841a915d20c7b,
    the processing of the pointer could happen some time after the pointer value
    was recorded (reading the trace buffer). This means the processing of the
    value at a later time could show different results, or even crash the
    system, if the pointer no longer existed.
    
    Commit 841a915d20c7b addressed this by processing dereferenced pointers at
    the time of execution and save the result in the ring buffer as a string.
    The bstr_printf() would then treat these pointers as normal strings, and
    print the value. But there was an off-by-one bug here, where after
    processing the argument, it move the pointer only "strlen(arg)" which made
    the arg pointer not point to the next argument in the ring buffer, but
    instead point to the nul character of the last argument. This causes any
    values after a dereferenced pointer to be corrupted.
    
    Cc: stable@xxxxxxxxxxxxxxx
    Fixes: 841a915d20c7b ("vsprintf: Do not have bprintf dereference pointers")
    Reported-by: Nikolay Borisov <nborisov@xxxxxxxx>
    Tested-by: Nikolay Borisov <nborisov@xxxxxxxx>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@xxxxxxxxxxx>

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index d5b3a3f95c01..812e59e13fe6 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2794,7 +2794,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
 						copy = end - str;
 					memcpy(str, args, copy);
 					str += len;
-					args += len;
+					args += len + 1;
 				}
 			}
 			if (process)



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux