This is a note to let you know that I've just added the patch titled seq_buf: Fix seq_buf_bprintf() truncation to the 3.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: seq_buf-fix-seq_buf_bprintf-truncation.patch and it can be found in the queue-3.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 4d4eb4d4fbd9403682e2b75117b6b895531d8e01 Mon Sep 17 00:00:00 2001 From: "Steven Rostedt (Red Hat)" <rostedt@xxxxxxxxxxx> Date: Wed, 4 Mar 2015 23:30:45 -0500 Subject: seq_buf: Fix seq_buf_bprintf() truncation From: "Steven Rostedt (Red Hat)" <rostedt@xxxxxxxxxxx> commit 4d4eb4d4fbd9403682e2b75117b6b895531d8e01 upstream. In seq_buf_bprintf(), bstr_printf() is used to copy the format into the buffer remaining in the seq_buf structure. The return of bstr_printf() is the amount of characters written to the buffer excluding the '\0', unless the line was truncated! If the line copied does not fit, it is truncated, and a '\0' is added to the end of the buffer. But in this case, '\0' is included in the length of the line written. To know if the buffer had overflowed, the return length will be the same or greater than the length of the buffer passed in. The check in seq_buf_bprintf() only checked if the length returned from bstr_printf() would fit in the buffer, as the seq_buf_bprintf() is only to be an all or nothing command. It either writes all the string into the seq_buf, or none of it. If the string is truncated, the pointers inside the seq_buf must be reset to what they were when the function was called. This is not the case. On overflow, it copies only part of the string. The fix is to change the overflow check to see if the length returned from bstr_printf() is less than the length remaining in the seq_buf buffer, and not if it is less than or equal to as it currently does. Then seq_buf_bprintf() will know if the write from bstr_printf() was truncated or not. Link: http://lkml.kernel.org/r/1425500481.2712.27.camel@xxxxxxxxxxx Reported-by: Joe Perches <joe@xxxxxxxxxxx> Signed-off-by: Steven Rostedt <rostedt@xxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- lib/seq_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/lib/seq_buf.c +++ b/lib/seq_buf.c @@ -154,7 +154,7 @@ int seq_buf_bprintf(struct seq_buf *s, c if (s->len < s->size) { ret = bstr_printf(s->buffer + s->len, len, fmt, binary); - if (seq_buf_can_fit(s, ret)) { + if (s->len + ret < s->size) { s->len += ret; return 0; } Patches currently in stable-queue which might be from rostedt@xxxxxxxxxxx are queue-3.19/ftrace-clear-regs_en-and-tramp_en-flags-on-disabling-record-via-sysctl.patch queue-3.19/seq_buf-fix-seq_buf_vprintf-truncation.patch queue-3.19/ftrace-fix-en-dis-able-graph-caller-when-en-dis-abling-record-via-sysctl.patch queue-3.19/ftrace-fix-ftrace-enable-ordering-of-sysctl-ftrace_enabled.patch queue-3.19/seq_buf-fix-seq_buf_bprintf-truncation.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html