Commit e3756477 authored by Jeff Mahoney's avatar Jeff Mahoney Committed by Linus Torvalds

printk: Fix calculation of length used to discard records

While tracking down a weird buffer overflow issue in a program that
looked to be sane, I started double checking the length returned by
syslog(SYSLOG_ACTION_READ_ALL, ...) to make sure it wasn't overflowing
the buffer.

Sure enough, it was.  I saw this in strace:

  11339 syslog(SYSLOG_ACTION_READ_ALL, "<5>[244017.708129] REISERFS (dev"..., 8192) = 8279

It turns out that the loops that calculate how much space the entries
will take when they're copied don't include the newlines and prefixes
that will be included in the final output since prev flags is passed as
zero.

This patch properly accounts for it and fixes the overflow.

CC: stable@kernel.org
Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent f4ba394c
...@@ -1034,6 +1034,7 @@ static int syslog_print_all(char __user *buf, int size, bool clear) ...@@ -1034,6 +1034,7 @@ static int syslog_print_all(char __user *buf, int size, bool clear)
struct log *msg = log_from_idx(idx); struct log *msg = log_from_idx(idx);
len += msg_print_text(msg, prev, true, NULL, 0); len += msg_print_text(msg, prev, true, NULL, 0);
prev = msg->flags;
idx = log_next(idx); idx = log_next(idx);
seq++; seq++;
} }
...@@ -1046,6 +1047,7 @@ static int syslog_print_all(char __user *buf, int size, bool clear) ...@@ -1046,6 +1047,7 @@ static int syslog_print_all(char __user *buf, int size, bool clear)
struct log *msg = log_from_idx(idx); struct log *msg = log_from_idx(idx);
len -= msg_print_text(msg, prev, true, NULL, 0); len -= msg_print_text(msg, prev, true, NULL, 0);
prev = msg->flags;
idx = log_next(idx); idx = log_next(idx);
seq++; seq++;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment