git.osdn.net Git - sagit-ice-cold/kernel_xiaomi

author	Jack Pham <jackp@codeaurora.org>
	Thu, 30 Mar 2017 16:53:53 +0000 (09:53 -0700)
committer	Jack Pham <jackp@codeaurora.org>
	Fri, 31 Mar 2017 00:34:50 +0000 (17:34 -0700)
commit	775e281fb6c19350f5c65e83e7c4b768c67bbe44
tree	c601b95335a18c4b3a2c2ea0e8d1da5c0e26e09f	tree \| snapshot
parent	664cdd33f956accabebd29edba6c220b1580744d	commit \| diff

trace: ipc_logging: Avoid buffer overflow in ipc_log_string()

In ipc_log_string() the return value from vsnprintf(), data_size,
is used to increment ectxt.offset. However, this length could
actually be much larger than that of ectxt.buff itself. This is a
typical mistake of [v]snprintf() usage [1], in that it returns
not the number of characters written but how many characters
*would* have been written regardless of whether it was truncated.
The result is that even though ectxt.buff itself is not overrun,
the incorrect size in ectxt.offset will be later used as the length
parameter when memcpy()'ing to the ipc_log_page's data, overflowing
that memory and beyond. The write_page's write_offset would also
indicate an out-of-bounds (greater than PAGE_SIZE) length.

The fix is simple: use vscnprintf() instead of vsnprintf().

[1] https://lwn.net/Articles/69419/

Change-Id: I2e9d44e74f5f30a009732e31a554d82e31946999
Signed-off-by: Jack Pham <jackp@codeaurora.org>