• Steven Rostedt (VMware)'s avatar
    vsprintf: Fix off-by-one bug in bstr_printf() processing dereferenced pointers · 62165600
    Steven Rostedt (VMware) authored
    The functions vbin_printf() and bstr_printf() are used by trace_printk() to
    try to keep the overhead down during printing. trace_printk() uses
    vbin_printf() at the time of execution, as it only scans the fmt string to
    record the printf values into the buffer, and then uses vbin_printf() to do
    the conversions to print the string based on the format and the saved
    values in the buffer.
    
    This is an issue for dereferenced pointers, as before commit 841a915d,
    the processing of the pointer could happen some time after the pointer value
    was recorded (reading the trace buffer). This means the processing of the
    value at a later time could show different results, or even crash the
    system, if the pointer no longer existed.
    
    Commit 841a915d addressed this by processing dereferenced pointers at
    the time of execution and save the result in the ring buffer as a string.
    The bstr_printf() would then treat these pointers as normal strings, and
    print the value. But there was an off-by-one bug here, where after
    processing the argument, it move the pointer only "strlen(arg)" which made
    the arg pointer not point to the next argument in the ring buffer, but
    instead point to the nul character of the last argument. This causes any
    values after a dereferenced pointer to be corrupted.
    
    Cc: stable@vger.kernel.org
    Fixes: 841a915d ("vsprintf: Do not have bprintf dereference pointers")
    Reported-by: default avatarNikolay Borisov <nborisov@suse.com>
    Tested-by: default avatarNikolay Borisov <nborisov@suse.com>
    Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
    62165600
vsprintf.c 74.6 KB